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Abstract 


In this dissertation I study the properties of singleton kinds and singleton types. 
These are extremely precise classifiers for types and values, respectively: the kind of all 
types equal to [a given type], and the type of all values equal to [a given value]. Single- 
tons are interesting because they provide a very general and modular form of definition, 
allow fine-grained control of type computations, and allow many equational constraints 
to be expressed within the type system. This is useful, for example, when modeling 
the type sharing and type definition constraints appearing in module signatures in the 
Standard ML language; singletons are used for this purpose in the TILT compiler for 
Standard ML. 

However, the decidability of typechecking in the presence of singletons is not obvious. 
In order to typecheck a term, one must be able to determine whether two type construc¬ 
tors are provably equivalent. But in the presence of singleton kinds, the equivalence of 
type constructors depends both on the typing context in which they are compared and 
on the kind at which they are compared. 

In this dissertation I present MILo, a lambda calculus with singletons that is based 
upon the representation used by the TILT compiler. I prove important properties 
of this language, including type soundness and decidability of typechecking. The main 
technical result is decidability of equivalence for well-formed type constructors. Inspired 
by Coquand’s result for type theory, I prove decidability of constructor equivalence for 
MILq by exhibiting a novel — though slightly inefficient — type-directed comparison 
algorithm. The correctness of this algorithm is proved using an interesting variant of 
Kripke-style logical relations: unary relations are indexed by a single possible world 
(in our case, a typing context), but binary relations are indexed by two worlds. Using 
this result I can then show the correctness of a natural, practical algorithm used by the 
TILT compiler. 
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Chapter 1 


Introduction 


1.1 Definitions and Constraints in Interfaces 

Many programming languages allow some form of definitions to appear in program unit interfaces. 
In the C language, for example, header files frequently contain definitions of type abbreviations. 
For example, 

typedef struct { 
int x; 
int y; 

} point_t; 

defines the type name point _t to stand for the type of a record containing two integers named x 
and y respectively. Such type definitions in C are effectively macros; the main advantage of using 
typedef rather than the C preprocessor’s #def ine is that the the tortuous syntax of C variable dec¬ 
larations (particularly for function pointers) makes simple textual substitution insufficient [KR88]. 

The Standard ML language [MTHM97] also permits type definitions to appear in module in¬ 
terfaces. The specification 

structure S : sig 

type point_t = {x : int, y : int} 

end 

says that S is a module containing just one element: a type named point_t. The interface further 
specifies that this type S .point_t is again the type of a record with two integer components named 
x and y. Type abbreviations in SML are qualitatively different from typedef, however. This SML 
code is a true specification, and as such must be a specification of something ; if code is compiled 
in the presence of this interface then at some later point (e.g., link time) a module satisfying this 
specification must be supplied. Furthermore, the definition in this signature acts as a form of 
constraint: any module satisfying this specification must contain a type point_t with an equal 
definition. Supplying a different type leads to a static error, and this is not the behavior of a simple 
type macro. 

The type-theoretic approach to studying programming languages has proved extremely fruitful. 
By isolating primitive concepts (organized around types), languages can be understood and com¬ 
pared more easily. Such an atomistic approach can lead to the improved design and implementation 
of programming languages. 
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Thus the question arises: what primitive language concept corresponds to type definitions 
in module interfaces? Several studies have effectively taken the entire SML system of modules 
and interfaces as primitive [HL94. Ler94, Ler95]. However, this is a rather heavyweight notion. In 
considering a formal calculus with such modules, either the modules are ordinary values and module 
interfaces just a form of type, or else these are held separate from the rest of the language. In the 
former case typechecking becomes undecidable [HL94, Lil97]. In the latter case there is a certain 
redundancy resulting from having structures (collections of types and values) and parameterized 
modules (functions from modules to modules) separate from ordinary records of values and ordinary 
functions. 

An alternative approach is to focus on the type specification itself, adding to the primitive 
specifications such as “a type” or “a parameterized type of one argument” specifications of the 
form “a type equal to [some given type]”. This leads to the notion of singleton kinds. If types or 
kinds (kinds are the types of types) intuitively correspond to sets, then singleton kinds are sets 
containing one element; membership in such a set is therefore a very strong statement. Analogously, 
one can form singleton types , expressing membership in the “collection of values equal to [some given 
value]”. 

The goal of this dissertation is to study the addition of singled,on types and kinds to a well- 
understood type system, with particular emphasis on the important properties of type soundness 
and decidability of typechecking. 

The remainder of this chapter explains more carefully the concepts of singleton types and kinds, 
and shows several examples besides type definitions where singleton kinds and types appear useful 
in theory and practice. I conclude with a high-level overview of the dissertation. 

1.2 The TIL and TILT Compilers 

1.2.1 TIL 

TIL [TMC + 96, Tar96, Mor95] was a prototype compiler for the core subset of the Standard ML 
language [MTHM97]. It was structured as a series of translations between explicitly-typed inter¬ 
mediate languages, and indeed the very name TIL refers to the Typed Intermediate Languages 
used by the compiler. Each pass of the compiler (e.g., common subexpression elimination or clo¬ 
sure conversion) transformed both the program and its type while preserving well-typednoss. This 
framework has several advantages: 

• A wide variety of common compiler implementation errors can be detected during compila¬ 
tion by running a typechecker on the compiler’s program representation after each transfor¬ 
mation. The location of the type error yields very precise information about which compiler 
phase introduced the error and which part of the input program triggered the bug. Al¬ 
though the fact that the compiler preserves well-typedness in no way guarantees that it is 
also meaning-preserving, a very large class of compiler bugs exhibit themselves by creating 
type errors [Nec98]. 

• By maintaining full typing information, the compiler is able to support type-based optimiza¬ 
tions and efficient data representations; TIL used a type-passing interpretation of polymor¬ 
phism in which types were passed and analyzed at run-time [HL94, Mor95]. 

• Typing information can be used to annotate binaries with an easily verifiable certificate 
(proof) of safety, the absence of certain run-time errors [MWCG97, Nec97]. 
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The results from TIL — in particular the quality of the generated code — were very encourag¬ 
ing [TMC + 96]. However, the implementation was inefficient and could only compile small, complete 
programs written without use of modules; very few interesting programs meet these criteria. To 
further test the ideas behind TIL, the members of the CMU Fox Project decided to completely 
re-engineer the compiler to produce TILT (TIL Two). The aim was to produce a more practical 
compiler based on typed intermediate languages which could handle separate compilation, the com¬ 
plete SML language, and large inputs. The biggest research challenge in scaling up the compiler to 
the full language was adding support for modules. 


1.2.2 Standard ML Modules 


Modules in SML are “second-class” entities — there are no conditional module expressions, nor 
may modules be assigned to mutable variables or be passed to or returned from ordinary functions. 
The basic form of an SML module is a structure , which is a package of types, values, and sub- 
modules. Structure signatures , the interfaces of structures, consist of a corresponding collection of 
type, value, and module specifications. Value specifications give the type of a value component, and 
module specifications give the signature of a module component. Type specifications may either be 
opaque (specifying only the kind of the component) or transparent (exposing the type’s definition). 
For example, consider the following structure specification: 


structure Set : sig 

type item = int 
type set 

type setpair = set * set 


val empty 
val insert 
val member 
val union 
val intersect 

end 


set 

set * item -> set 
set * item -> bool 
setpair -> set 
setpair -> set 


This states that Set has three type components: the type Set .item known to be equal to int, the 
type Set. set about which nothing is known, and the type Set. setpair which is the type of pairs 
of Set.set’s. Set also contains five value components; from the names, presumably Set.empty 
will be a representation of the empty set, set .union computes the union of a pair of sets, and so 
on. 

There are two important points to note about this example. First, equivalences such as the one 
between Set. item and int are open-scope definitions available to “the rest of the program”, which 
may not be written yet when this module is compiled. Such definitions cannot be eliminated by a 
simple local substitution and forgotten. Second, in a type-passing implementation like TILT types 
are computed and stored by the run-time code. Although it is possible to get rid of type definitions 
in signatures by replacing all references to these components with their definitions [Sha98] this is 
not necessarily a good idea in a type-passing implementation; such substitutions could substantially 
increase the number of type computations performed at run-time. 

An alternative method of expressing information about type components in signatures is by type 
sharing specifications; these specify that two particular type components have the same definition. 

Figure 1.1 (adapted from [MT91, p. 65]) shows two equivalent definitions for the signature for 
the front end of a compiler. The first definition states that the front end has two sub-structures: a 
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signature FRONTEND = 
sig 

structure Lexer : sig 

type token 

val lex : string -> token list 

end 

structure Parser : sig 

type token 
type ast 

val parse : token list -> ast 

end 

sharing type Lexer.token = Parser.token 


end 


signature FRONTEND = 
sig 

structure Lexer 


structure Parser 


end 


sig 

type token 

val lex : string -> token list 

end 

sig 

type token = Lexer.token 
type ast 

val parse : token list -> ast 

end 


Figure 1.1: Constraints via Type Sharing or Type Definitions 


lexer implementation (which takes a string of characters and splits it up into a list of tokens, which 
presumably would be things like identifiers or language keywords) and a parser implementation 
(which takes a list of tokens and translates these into an abstract syntax tree, making the program 
structure apparent). The Lexer and Parser sub-structures each have their own notion of tokens; 
only the final line of this signature specifies that these two notions are compatible. As a consequence, 
it is allowable to compose the two functions Lexer.lex and Parser.parse together. 

Such sharing type constraints do not add expressiveness to the language because they can 
always be viewed as syntactic sugar for the definitions of type components [HSOO]. The second 
definition in Figure 1.1 defines an equal signature using a type definition. 

Modules may be given less-specific signatures using subsumption — the signature of a module 
may be weakened to a “larger” signature in the sub-signature ordering. The important part of this 
ordering is that omitting constraints on types makes structure sharing less precise 1 . For example, 
a structure satisfying the signature 

1 ln SML, the subsignature relation also lets structure components be forgotten or reordered; this coercion is 
definable and hence does not add essential expressiveness [HSOO]. 
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structure Set : sig 

type item = int 
type set = int list 

type setpair = (int list) * (int list) 

val empty : set 

val insert : set * item -> set 

val member : set * item -> bool 

val union : setpair -> set 

val intersect : setpair -> set 

end 

(which exposes the implementation of sets as lists of integers) would also satisfy the previous 
specification, while an implementation satisfying either of these specifications would further satisfy 
the less-demanding specification 

structure Set : sig 

type item 
type set 
type setpair 

val empty : set 

val insert : set * item -> set 

val member : set * item -> bool 

val union : setpair -> set 

val intersect : setpair -> set 

end. 

The Standard ML module system also permits formation of parameterized modules called func¬ 
tors ; functors are simply a form of function mapping modules to modules. In the official SML 
module system there is no way to express the interface of a functor; such an interface would 
specify the signature of the result in terms of the functor argument. However certain compilers 
like SML/NJ [MT94, CM94] extend the SML language with higher-order functors and functor 
signatures. The sub-signature relation is then extended to functor signatures in the usual way: 
contravariantly in the domain and covariantly in the codomain. In any case, an SML compiler 
must have an internal notion of functor signature in order to do typechecking in the presence of 
functor applications. 

1.2.3 Phase-Splitting in TILT 

The primary intermediate language of the TIL compiler was based on F ’ w , the higher-order poly¬ 
morphic lambda calculus [Gir72]. One goal of the TILT redesign was to minimize changes to 
the internal languages, in the hope that this would minimize the work needed to port the TIL 
optimization and code generation phases. 

Fu contains the type and kind structures alluded to above, but no module system. However, 
modules and signatures can still be faithfully represented using ideas of Harper, Mitchell, and 
Moggi [HMM90, Sha98]. Their key insight was that every module can be uniformly transformed 
away via a process called phase-splitting into two pieces: a type part and a value part. For example 
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structures, which are aggregates of both types and values, become two collections: one of types and 
one of values. The more interesting observation is that that functors can be split in the same way. 
Functors map types and values in one structure to types and values in another structure. However, 
types in the result can only depend on types (not values!) in the argument. This means that 
a functors can be split into its behavior on types (which can be expressed as a function mapping 
records of types to records of types) and its behavior on values (expressed as a polymorphic function 
in F u ). 

Signatures then split in a parallel fashion. Structure signatures, for example, split into a kind 
describing collection of types and a type describing a collection of values. For example, the structure 

struct 

type t = int 

val n = 3 

val succ = fn (n:int) => n+1 
end 

splits into two parts: a collection of types (in this case, a one-element collection) 

{t = int} 

and a collection of two values 

{n = 3, succ = fn (n:int) => n+1}. 

The signature 
sig 

type t 

val n : int 

val succ : int -> int 

end 

correspondingly splits into two parts: the kind of a single-element collection of types 
{t :: TYPE} 

and the type of a collection of two values 
{n : int, succ : int -> int}. 

F u suffices for these and many other examples. However, a difficulty arises in the specification 
for sets: 

structure Set : sig 

type item = int 
type set 

type setpair = set * set 


val empty 
val insert 
val member 
val union 
val intersect 

end 


set 

set * item -> set 
set * item -> bool 
setpair -> set 
setpair -> set 
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This should split into a specification for a collection Set-types of three types and a collection 
Set_values of five values, but what kind should Set-types have? It is clear translating the above 
SML code into the specifications 

Set_types :: {item :: TYPE, set :: TYPE, setpair :: TYPE} 

Set_values : {empty : Set-types. set, ...} 

(where I have elided the types for the remaining components of Set-values) loses important in¬ 
formation about the definitions of item and setpair. If Set-types. item is no longer recorded as 
equal to int, then code may suddenly fail to typecheck. 

One possibility is to substitute away all such type definitions. Because of the subsignature rela¬ 
tion this is not so trivial an operation as it might appear, but there is no essential difficulty [Sha98]. 
However, in the TILT compiler types correspond to run-time values, and the effect of such a sub¬ 
stitution is to duplicate run-time computations. Our goal was to avoid such duplication. 

1.3 Dependent and Singleton Kinds 

The choice made in TILT was to extend the kind structure with dependent and singleton kinds. 
The singleton kind S(A :: K) is the kind of “all type constructors of kind K which are equal to 
A. That is, the defining property is that the type constructor A has kind S(B :: K) if and only if 
A and B are equal type constructors of kind K . Since the type constructors form a small lambda 
calculus, I consider equality of types to be based on the usual /^-equivalence of lambda terms 2 . 
Note that in the presence of singletons assumptions about the kinds of type variables can affect the 
provable equalities, and the equational theory of types affects what types can be shown to have 
which kinds. 

The kinds in TILT were further extended with dependencies. First, in kinds of collections of 
types, the kind of each component may depend upon the contents of earlier components. With this 
extension, it becomes easy to phase-split the Set specification: 

Set-types :: {item :: S(int :: TYPE) , set :: TYPE, setpair :: S(set*set :: TYPE)} 
Set-values : {empty : Set-types.set, ...} 

Singleton kinds are used here to expose the definitions of item and setpair. Further, the definition 
of setpair involves a dependency: its kind depends on the contents of the set component. 

Similarly, in the kinds of functions mapping type constructors to type constructors, the kind of 
the result is allowed to depend on the argument given to the function. This is used to express the 
dependencies of types returned from a functor on the functor’s argument. 

The final extension in the TILT kind structure is a subkinding relation, a preorder K\ < k 2 
which holds when K\ is a more-precise (less general) kind than l\ >. This relationship is induced 
by the relation S(T :: K) < K; that is, all “types of kind K equivalent to A ” are also “types of 
kind K ”. Subkinding is used to model the SML sub-signature relation. 

1.4 Dependent and Singleton Types 

The extensions to the kind level can be applied at the level of types as well. This leads to singleton 
types of the form S(e : t), the type of “all values of type r equal to e”, as well as dependent 

2 The simpler ^-equivalence might suffice in practice, but having both fi and 77 leads to a more expressive and more 
interesting language. It is also not clear that using this stronger equivalence relation would substantially simplify the 
metatheoretic results I study in this thesis. (See the proofs for decidability of term equivalence.) 
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structure Binary-Tree : sig 
structure Key : sig 
type t 

val lesseq : t * t -> bool 
end 

type value 
type tree 

val insert : Key.t * value * tree -> tree 

... other binary tree operations ... 

end 

structure PriorityQueue : sig 
structure Key : sig 
type t 

val lesseq : t * t -> bool 
end 

type value 
type pqueue 

val insert : Key.t * value * pqueue -> pqueue 

... other priority queue operations ... 

end 

sharing BinaryTree.Key = PriorityQueue.Key 

end 


Figure 1.2: Structure Sharing 


function and record types, and subtyping 

The designer of a system of singleton types must choose a reasonable notion of equality; in the 
presence of side-effecting program terms this is not obvious. Ideally equality would be observable 
equivalence: two expressions would be equal if and only if they are indistinguishable in any program 
context. However, for any interesting term language this relation is not decidable. (For example, 
checking contextual equivalence with a non-terminating expression in this language is equivalent to 
the halting problem.) Because typechecking in the presence of singleton types requires determining 
equivalence of terms, this would immediately lead to a system where there is no algorithm to check 
the well-formedness of programs. 

I choose to study a simple equivalence: a congruence based on projection rules for pairs, ex¬ 
tended by singleton types. To avoid problems with side effects, I restrict singleton types to contain 
only values, and I extend the congruence with the principle that a value v\ has type S(t>2 • t) if 
and only if v\ and are equivalent and of type r. (In the presence of recursion there is a non¬ 
terminating expression of type r for any well-formed r. Hence there is a non-terminating expression 
e of type S(3 : int). But since 3 and e are clearly not observably equivalent, they should not be 
provably equal; hence the restriction to values.) 

What use are such singletons? Consider the SML code in Figure 1.2. The interface shown here 
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sig 

structure T : sig 

val n : int 

end 

structure U : sig 

val m : int 

end 

sharing T = U 
end 


Figure 1.3: Pointless Structure Sharing 


specifies two sub-modules BinaryTree and PriorityQueue that implement abstract data types 
for binary trees and priority queues respectively. Each sub-module has its own notion of how 
keys are represented (the type Key.t) and ordered (the relation Key. lesseq). In current versions 
of Standard ML, sharing constraints are simply an abbreviation for sharing type constraints 
between the opaque type components common to both structures. Since there is only one such 
component, the constraint is exactly equal to the constraint 

sharing type BinaryTree.Key.t = PriorityQueue.Key.t. 

This then allows the same key value to be used in a binary tree and in a priority queue. (Note 
however, that the values stored in binary trees and the values stored in priority queues need not 
be of the same type; there is no constraint requiring BinaryTree .value to be the same type 
as PriorityQueue .value.) This constraint can be modeled as before with singleton kinds by 
specifying 

PriorityQueue .Key .t : : S(BinaryTree .Key .t :: TYPE). 

In the original 1990 definition of Standard ML [MTH90], however, the sharing constraint in 
Figure 1.2 actually requires the structures BinaryTree .Key and PriorityQueue .Key be the same 
structure. As a consequence, not only must the representation type for keys be equal, but the two 
lesseq orderings will be equal. In SML ’90 then, whether a given module satisfies this interface or 
not (a question of typechecking) depends on the values of the Key substructures. 

To model the spirit of this sharing constraint, I can use singleton types. Let t stand for the type 
PriorityQueue .Key .t. Then I can model the constraint by using singleton kinds as previously 
mentioned and further requiring 

BinaryTree.Key.lesseq : S(PriorityQueue.Key.lesseq :t * t -> bool). 

This does not require that the two Key structures be exactly the same structure, but does require 
that corresponding components of the two structures are equal. Because one cannot do assignment 
directly to components of a structure, however, there is no run-time behavior that can distin¬ 
guish two componentwise-equal structures; this leads to a more permissive type system while not 
permitting any changes in run-time behavior. 

Not all instances of SML ’90 structure sharing can be modeled with singleton types. For 
example, the signature in Figure 1.3 requires that the T and U substructures be different views of 
the same underlying structure. It makes no sense to model this with a dependent record type such 
as 
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{T : {n : int}, U : S(T : {m : int})} 

because this would be ill-formed; T does not have type {m : int}. However, since the sharing con¬ 
straint in Figure 1.3 does not actually place any restriction on the values of the n and m components, 
the practical utility of such a specification seems extremely minimal. 

1.5 Other Uses for Singletons 

1.5.1 Closed-Scope Definitions 

In many A-calculi “let-bindings” or “closed-scope definitions” are treated as syntactic sugar. For 
example, 

let x:int = 3 in (x+1) 
would be encoded as the function application 

(Ax:int. x+l)(3). 

However, this sort of transformation is not always legal. In for example, one cannot generally 
equate 

let t::TYPE - int*int in e 

where e is some expression with 

(At::TYPE. e)(int*int) 

because in the former case we know that t = int*int while typechecking e. while in the latter case 
e must be typecheckable knowing only that t is som,e type. 

The alternative definition 

[int*int/t]e 

(that is, the result of replacing t with int*int everywhere in e) will preserve meaning and well- 
typedness, but involves arbitrary duplication of types. 

Some authors have therefore considered let-bindings (and generally, the notion of variables-witli- 
definitions) appears as a primitive. For example, the pure type system of Severi and Poll [SP94] 
adds a new let-binding primitive written x—a: A in b. and the definitions of variables are maintained 
during typechecking. 

In a language with singleton kinds, however, let-bindings of types become definable via functions: 

let t::TYPE = int*int in e 


becomes 

(At::S(int*int :: TYPE). e)(int*int). 

This time the typechecker knows while typechecking e that t = int*int because this is apparent 
from the kind of t. 

1.5.2 TILT Program Transformations 

The encoding of let in the previous section is primarily a theoretic curiosity. However, similar 
transformations do come up in practice; there are several places in the TILT compiler where it 
could be beneficial to take types computed within a function body and turn these into new type 
arguments to be passed into the function at run-time. This comes up in loop invariant removal, in 
uncurrying, and in closure conversion [MMH96]. An example will make this clearer; consider the 
following code, written in an approximation of the compiler’s internal representation: 
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let 


function F(a: :TYPE, y:a) = G(axa, (y,y)) 
in 

... F(int, 3) ... F(int, 4) ... F(int, 5) ... 

end 

This code presupposes a polymorphic function G taking a type and an argument of this type. The 
polymorphic function F also takes a type a and a value y of this type; it creates the pair (y,y) 
and its type axa, and then passes these to G. Elsewhere in the code, F is called several times. 

Now on each call, F constructs the type ax a in order to be passed this G. In a type-passing 
implementation like TILT, this corresponds to actual instructions executed at run-time. Since F is 
repeatedly being given the same type argument int, it would be preferable to compute intxint 
just once; this could be performed by having the caller pass intxint as a new function argument. 
Such a transformation leads to the following code: 

let 

function F(a: :TYPE, /?: : TYPE , y:a) = G(/?, (y,y)) 
type t = intxint 
in 

... F(int, t, 3) ... F(int, t, 4) ... F(int, t, 5) ... 

end 

Operationally, this new code is correct. Unfortunately, it no longer typechecks; in a standard 
typed lambda calculus there is no way to perform this particular transformation while preserving 
well-typedness. 

The problem with the above code is that according to the specification of the arguments, F 
could be called with any two types. Therefore, there is no reason why the pair (x,x) should have 
type /3. The intent is that every call to F should pass a type a and the type ax a, but if this is not 
a constraint being checked by the type system it is unsafe to assume this will always be true. 

The TILT compiler is based on the principle of type-preserving transformations; we forbid 
transformations leading to ill-typed programs. What is needed is a way to constrain the new 
type variable so that the compiler knows it will be given the type ax a. Equally importantly, the 
compiler should be able to check that every application of F obeys this constraint. 

Singleton kinds provide exactly the mechanism required to transform type expressions into 
function arguments while preserving well-typedness. The code becomes 

let 

function F(a: :TYPE, /3::S(axa :: TYPE) , y:a) = G(/3, (y,y)) 
type t = intxint 
in 

... F(int, t, 3) ... F(int, t, 4) ... F(int, t, 5) ... 

end 

This typechecks because we have introduced the appropriate constraint into the type system; the 
body of the function F will typecheck if we can show that the type constructor f3 is equivalent to the 
type of (y,y), namely axa. But /?::S(axa :: TYPE) implies that /3 = axa :: TYPE, as required. 

Note that an apparently simpler solution to this problem would be to compile F in curried 
fashion: 
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let 


function F(a::TYPE) = 
let 

type /? = axa 

function F’(x: a) = G(/3, (y,y)) 
in 

F 7 

end 

^int = F(int) 
in 

••• ^int^^ *•* ^int^) ... Fint^^ **• 

end 

Here F now just takes a single argument, a type a. It computes axa and returns a function which 
expects an argument x of type a. The caller can apply F to int once (computing intxint once) 
and then apply the resulting function repeatedly. This does typecheck without singletons, and 
might seem to solve the problem. However, this transformation introduces higher-order functions, 
which are implemented via a transformation called closure conversion. The closure-conversion 
transformation involves taking every function and turning its free variables into arguments; in 
particular, /3 will become an argument of the function F J , and we have exactly the same typechecking 
problem as we started out with [MMH96]. 

1,5.3 Cross-Module Inlining 

While language features such as abstraction, modularity, polymorphism and higher-order functions 
have important software engineering benefits, they often impose a run-time cost. Using abstract 
types or polymorphism can mean that data layouts are not known until run-time. Uses of modu¬ 
larity and higher-order functions can substantially increase the number of function calls, which can 
be particularly costly on modern processors. 

If pieces of a program are compiled and optimized completely separately (“true” separate com¬ 
pilation) it is hard to avoid the costs of abstraction. At the other end of the spectrum, a compiler 
can do whole-program optimization and generate substantially better code. Unfortunately, the 
analysis required is usually unusably slow for large inputs and requires source code for the entire 
program (including libraries). However, in many cases it suffices to do incremental compilation, 
in which each file is compiled after all of its imports. This allows the compiler to use information 
gathered while compiling the imports in order to do a better job of compiling the current file. The 
compiler writer must then decide what information the compiler should collect and store and how 
to represent it. 

For separate compilation in a statically typed framework, a minimal requirement is that the 
compiler must know the type of all external references. This leads to such mechanisms as header 
files in C, where the interface of a compilation unit gives the types of its exported components. This 
also leaves open the possibility of checking that a compilation unit matches the claimed interface. 

An elegant and systematic method of handling incremental compilation is to use the same 
mechanism — where the interface of each unit contains typing information for all exports — but 
to have the compiler generate the interface directly from the code. This combines cleanly with 
separate compilation; the programmer can write interfaces for some pieces of the program and have 
the compiler generate the remainder. 

Of course the compiler can determine more information than just simple types when given the 
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source code. A very important optimization for incremental compilation is cross-module inlining. 
This transformation replaces references to imported values, types, and functions with their actual 
implementations. In order to achieve this, the interface must express this information, namely 
to include the implementations of abstract types, values of variables, definitions of functions, and 
so on. Thus interfaces change from specifying that “x is an integer constant” to “x is an integer 
constant equal to 3” and from “succ is a function mapping floats to floats” to “succ is equal 
to the function which maps a float / into /+1.0”. In order to maintain the elegance of interfaces 
containing only type information, this optimization requires a more expressive type system in which 
such information can be expressed. 

Inlining is the process of replacing a reference to a value with the value itself. In my system of 
singleton types, if v : S(v f : r) then the compiler may replace any use of v (in a context expecting 
a value of type r) with v f . Singletons can be directly applied to traditional cross-module inlining. 
Suppose we want to be able to take a definition such as the following (for the successor function 
on integers) 

succ = Acciint.ai+l 

and allow other modules to replace succ by this function (if it seems locally beneficial). This can 
be achieved by specializing the type of succ in the interface; instead of saying 

succ : int—^int 


it can instead say 

succ : S(A:r:int.a;+l : int^int). 

Conversely if the compiler sees that an import such as succ has a singleton type, it is justified in 
replacing this reference with the actual definition. 

The restriction that well-formed singletons can contain only values suffices for most inlining 
purposes because the most important case is inlining of function definitions, and functions are 
values. It is possible that a less conservative approximation might be useful so that we can inline, 
for example, polymorphic instantiations and partial applications of curried functions. This should 
be possible by replacing this restriction to values with a restriction to a set of “valuable terms”, 
terms whose evaluation is guaranteed to terminate without side-effects or reference to mutable 
storage [HS00]. 

Values in singletons need not be closed, but they must be well-formed and hence cannot refer 
to items not exported in the interface. In practice, this may require extending interfaces with extra 
components. 

Note that the approach to inlining using singletons is subtly different from C++ inline func¬ 
tions in header files, or of the lambda-splitting of Blume and Appel [BA97]. There the functions 
to be inlined are essentially definitions prepended to the program unit being compiled. Whenever 
the compiler decides not to inline uses of these functions, it must compile a new local version of the 
code to call. In contrast, singleton types and kinds used for inlining purposes are specifications of 
an imported piece of code, which may be referred to if inlining does not appear useful. (Of course, 
since the compiler has the definition it could also choose to create a local copy of the code to call, 
as yet another alternative to inlining the function’s code.) 

A more interesting problem is the case where the compiler wants to inline an import which 
may not have been written yet. This can only occur, of course, if the compiler has some reason to 
believe it can correctly “predict” what the import’s eventual implementation will be. An example 
of this arises in TILT due to Standard ML datatypes. 
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The datatype mechanism is one of the most successful features of Standard ML. Datatypes 
combine notions of enumerations, tagged unions, and recursive types into a common framework. A 
single datatype definition such as 

datatype tree = Leaf of int | Node of tree*tree 

automatically generates 

• An abstract type tree. 

• The functions Leaf of type int->tree and Node of type tree*tree -> tree for creating 
new trees; 

• Support for discrimination and decomposition for values of type tree via pattern-matching; 

• A structural equality for trees. 

This can be easily modeled as a structure containing one (abstract) type component and several 
value components. Similarly, a datatype specification signature would correspond to the signature 
of the appropriate structure [HSOO, HS97]. 

The disadvantage of this elegant encoding is efficiency. Datatype constructors and pattern¬ 
matching are used heavily in SML code: making every such use into a function call is unacceptably 
inefficient. Similarly, although datatypes are officially abstract and must be typechecked as such 
in the source code, it is often possible to determine from a datatype’s description the underlying 
implementation type for this datatype 3 . Taking advantage of this knowledge would enable more 
efficient code generation. 

Blume [Blu97] suggests that this problem can be overcome by aggressive cross-module inlining. 
As the functions corresponding to datatype constructors and pattern-matching are generally small 
pieces of code, they will automatically be exported by the defining compilation unit and inlined into 
client compilation units. This approach seems logical and should work quite well — but only where 
it applies. A deficiency is that it does not help when doing separate compilation or compiling SML 
functors (parameterized modules) which take datatypes as arguments. In these cases no datatype 
implementation has been specified yet, so there is nothing to inline. 

However, if the compiler can predict which types and code will be later supplied as the functor 
argument, then we are justified in inlining these types and code into the functor body and ignoring 
the actual argument when it is later applied. There is no typechecking problem involved in this 
transformation, but for correctness purposes it might be convenient to have a way of formalizing 
this prediction and a way of checking that the prediction was correct. Singleton types and kinds 
provide a natural way to record such a prediction: the functor’s arguments can be annotated with 
singleton types and kinds for the datatype components, and inlining can then proceed as discussed 
above. 

Note that because specializing the functor argument to require a particular datatype implemen¬ 
tation gives the functor a strictly less-general type, functor applications which were previously valid 
may no longer typecheck. This is actually an advantage because a typechecking failure occurs when 
the predicted code does not match the actual implementation; since both parts are automatically 
generated by the compiler, a typechecking failure here must mean that the compiler is in error. 

There is nothing original about inlining datatypes, separately compiled or not. Any reason¬ 
able ML compiler must do this for efficiency. However, this often occurs in an ad-hoc fashion. 
With singleton types and kinds a compiler can systematically maintain the datatypes-as-structures 
encoding throughout the entire compiler, without any loss of efficiency. 

3 In general this may require a non~trivial equational theory for recursive types, however [CHC + 98]. 
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1.6 Dissertation Summary 


In Chapter 2, I introduce the MILq calculus, a formalization of the key features of the TILT 
intermediate representation. This language is an predicative variant of the familiar lambda-calculus 
Tb, extended with pairs, recursion, and singleton types and kinds. I show that the addition of 
singletons leads to a calculus with very interesting equational properties; most notably, whether 
two type constructors are provably equivalent depends strongly on both the typing context and on 
the kind at which the type constructors are compared. 

Chapter 3 contains proofs for many standard properties of the MILo calculus, such as preserva¬ 
tion of well-typedness under substitutions and the admissibility of useful typing rules. In particular, 
although the definition of MILo includes only a very restricted form of singleton kind, general sin¬ 
gleton kinds are definable. 

Chapter 4 gives algorithms for deciding the kind and constructor-level judgments (e.g., given 
a well-formed context and a type constructor A, determine whether there is a kind K such that 
A is well-formed with kind if). This includes an algorithm for constructor equivalence inspired by 
Coquand’s approach to /^-equivalence for a type theory with II types and one universe [Coq91]. 
Coquand worked with an algorithm which directly decides equivalence, rather than defining a 
confluent and strongly-normalizing reduction relation. In contrast to Coquand’s system, MILo 
type constructors cannot be compared by shape alone; equivalence depends on both the typing 
context and the classifier. Where Coquand maintains a set of bound variables, my algorithm 
maintains a full typing context. Similarly, he uses shapes of the items being compared to guide the 
algorithm where my algorithm uses the classifying kind. (For example, where Coquand would check 
whether either constructor is a lambda-abstraction, this algorithm checks whether the constructors 
are being compared at a function kind.) I show the algorithms are sound with respect to the 
language definition. 

In Chapter 5 I prove the completeness and termination of the algorithms in the previous chap¬ 
ter. This reduces to proving the completeness and termination of the constructor equivalence 
algorithm. Unfortunately I cannot analyze the correctness of this algorithm directly; asymmetries 
in the formulation preclude a direct proof of such simple properties as symmetry and transitivity. 
(Both are immediately evident in Coquand’s case.) Instead, I analyze a related but less efficient 
algorithm which restores symmetry and transitivity by maintaining redundant information. The 
proof that this revised algorithm is complete and terminating for all well-formed inputs was inspired 
by Coquand’s use of Kripke logical relations, but the details differ substantially. My proof uses a 
novel form of Kripke logical relation employing two worlds, rather than one. The correctness of 
the revised algorithm can then be used to show the correctness of the original, simpler constructor 
equivalence algorithm. This yields the implementation used by the TILT compiler. 

I then repeat the development for types and terms. Chapter 6 gives algorithms for deciding 
the type and term-level judgments; I show these algorithms are also sound with respect to the 
corresponding judgments in the MILo definition. The proof of Chapter 7 for the completeness and 
termination of the term and type algorithms proceeds essentially along the same lines as the proofs 
in Chapter 5. The simpler notion of equivalence for term-level functions makes some parts of these 
proofs easier, but others are complicated by the fact that type equivalence is less trivial than kind 
equivalence. 

Chapter 8 shows the MILq type system to be sound with respect to its operational semantics. 
The proof is very straightforward, but depends critically on using the soundness and completeness 
of the constructor equivalence algorithm to show consistency properties of constructor equivalence. 
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In Chapter 9 I show how to extend these proofs when the MIL language is extended with 
intensional polymorphism (i.e., with run-time constructor analysis constructs) [HM95, Mor95]. 
This involves surprisingly little change to the previous development. 

Finally, Chapter 10 surveys the related literature and concludes with a collection of conjectures 
and possibilities for future work. 
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Chapter 2 


The MILq calculus 


2.1 Overview 

The TILT compiler uses as its main internal representation of programs a typed language called 
the “Mid-level Intermediate Language”, or MIL. This is a relatively high-level language; it includes 
first-class functions, assignment, and exception handling, with no explicit reference to memory 
layout or allocation/deallocation. However, it contains no notion of a module system. 

More formally MIL is a variant of the higher-order polymorphic lambda calculus [Gir72]. 
The language has four levels: 

• The terms or expressions of the language. These include constants, recursive functions, 
applications, pairs, records, assignments, exceptions, etc. 

• The types , which classify terms. A term is well-formed if and only if it has a type. 

• The type constructors , or simply constructors. 1 This level contains items corresponding to 
certain types (these constructors might be considered “the names of types” or “types as 
data”) as well as functions and pairs, forming a small A-calculus in itself. 

• The kinds , which serve as types for the language of constructors. 

The distinction between types and the corresponding type constructors is made because MIL 
is a predicative language. In an impredicative language, polymorphic types involve quantification 
over all types, including the polymorphic types themselves. Although one can make sense of this 
circularity [Gir72], it substantially complicates the metatheory of the language and hence has been 
avoided here. 

In this chapter, I formally define MILq, a simplified calculus which captures most of the essential 
features of the full MIL. The primary differences are: 

• The term language has been substantially pared down to contain only recursive functions, 
pairs, and polymorphism. Assignment and exceptions have been omitted, so that the only 
remaining side-effect is nontermination. In the full MIL, functions can take any fixed number 
of constructor and term arguments, and polymorphic recursion is allowed. (When compiling 
a source language like SML which does not allow polymorphic recursion [Myc84], however, 
the utility of this last feature is limited.) For simplicity, MILo separates term abstractions 
and polymorphic abstractions, and disallows polymorphic recursion. 

x This terminology conflicts with the common usage of “constructor” in ML to refer to the term constructors 
defined by datatypes. However, context will always make clear which sense of constructor is meant. 
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• MIL function types have been similarly split into universally-quantified types for polymorphic 
expressions and ordinary (dependent) function types for term-level functions. MIL contains 
several varieties of function type (the types of potentially open functions, closed functions, or 
closures, each of which may be partial or total). Only potentially open, partial functions are 
modeled here. 

• Constructor functions in MIL are multiargument, while MILo constructor functions must be 
curried to get the same effect. 

• For clarity, all constructor analysis constructs used by TILT (e.g., typecase or typerec [HM95]) 
have been omitted from MILo- Such features are essentially orthogonal to my main topic, 
the effects of adding singletons to the calculus. However, the methods of this dissertation 
can be applied even in the presence of constructor analysis. In chapter 9 I sketch the (minor) 
changes to the development required. 

• The MIL as actually implemented uses a relatively strong equivalence for recursive type 
constructors. (Specifically, two recursive type constructors are considered equivalent if their 
unrollings are equivalent [CHC + 98].) This extension is omitted from MILo. 

For the most part, extending the theory of this chapter to handle the full MIL should not present 
any fundamental difficulty. The proofs do become more technically involved (for example, when 
going from pairs to n-ary labeled records) but the essential arguments do not change. Note that 
since this is an explicitly-typed framework, adding polymorphic recursion creates no challenges. 

The one case where the methods do not extend is when considering an interesting equational 
theory for recursive types. (I see no way to create an obviously symmetric and transitive algorithm 
in the presence of recursive types.) There is an obvious extension of my algorithms that appears 
to work in practice; the FLINT compiler uses a very similar algorithm. 

This is not simply an issue of adding singletons: in the literature there appears to be little 
study of algorithms for equating recursive types when there are interesting equations beyond those 
induced by recursive types. (The only instance I have found is the work of Palsberg and Zhao on 
type isomorphisms in the presence of recursive types [PZOO].) For example, no one has looked at 
the decidability of typechecking for (where there is /^-equivalence at the type level) extended 
with recursive types. 

As an alternative to extending the theory to the full MIL, the language itself could be simplified. 
An alternative MIL could use use a much simpler equational theory for recursive types, at the cost of 
requiring explicit type coercions (i.e., isorecursive types rather than equirecursive types [CHC+98]). 
There are no problems in extending the theory of MILo in this fashion. 

This chapter contains a definition of MILq split into two parts: compile-time and run-time 
aspects. §2.2 contains the context-free syntax of the language and the context-sensitive rules 
for determining whether phrases in the language are well-formed, and §2.3 contains a number of 
admissible rules which follow from this definition. Then §2.4 explains the meanings of complete 
programs by defining a notion of evaluation. 

2.2 Syntax and Static Semantics of MILq 

The abstract syntax of MILo is shown in Figure 2.1. As usual, I work modulo renaming of bound 
variables (i.e., modulo a-equivalence). The meaning of each construct is explained in tandem with 
the static semantics. 
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Typing Contexts 

r, A ::= 

• 

Empty context 


1 

T, a::K 



1 

T, x:t 


Kinds 

K,L 

T 

Kind of names of types 


1 

S (A) 

Singleton kind 


1 

Ua-.iK'.K" 

Dependent function kind 


1 

Ha::K'.K" 

Dependent pair kind 

Base Constructors 

b::= 

Int | Boxedfloat | ... 

Names of base types 

Constructor Constants 

c 

b 



l 

X 

Pair-type constructor 


1 

->■ 

Function-type constructor 

Type Constructors 

A, B ::= 

c 



1 

CX-i ft) • • • 

Variables 


1 

Xor.-.K'.A 

Function 


1 

A A' 

Application 


1 

(A 1 , A") 

Pair of constructors 


1 

7T{A 

Projection 

Types 

r,cr :: = 

Ty(A) 

Inclusion of type constructors 


1 

S (v : t) 

Singleton type 


1 

Mav.K.T 

Polymorphic type 


1 


Dependent function type 


1 

(x:t')xt" 

Dependent pair type 

Values 

v,w 

n 

Integer constants 


i 

x,f 

Variables 


i 

fun f(x:r'):T" is e 

Recursive function 


i 

A (a::K):r.e 

Polymorphic abstraction 


i 

7 uv 

Projection 


i 

(vi,v 2 ) 

Pair 

Terms 

e, d 

V 



1 

vv' 

Application 


1 

v A 

Polymorphic instantiation 


i 

let x:T'=e' in e : r end 

Local variable definition 


Figure 2.1: Syntax of the MILq Calculus 
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r hok 

Well-formed context 

f r 3 EE r 2 

Context equivalence 

FFK 

Well-formed kind 

rhit, <k 2 

Subkinding 

F F K v = K 2 

Kind equivalence 

F F A :: K 

Well-formed constructor 

F F A] = A 2 :: K 

Constructor equivalence 

FFt 

Well-formed type 

f f n < t 2 

Subtyping 

P 

III 

_L 

E-h 

Type equivalence 

rhe:r 

Well-formed term 

T F e\ = e 2 : r 

Term equivalence 


Figure 2 . 2 : Judgment Forms in the Static Semantics 


The static semantics (type system) for MILo is given as a collection of inductively-defined 
judgments. Figure 2.2 lists all the different judgment forms. The purpose of this section is to 
explain and motivate the choice of judgments. 

The definition of the static semantics requires a few preliminary comments. First, the notation 
FV (phrase) refers to the set of free variables in phrase. This is defined Figure 2.3 by induction on 
syntax. 

Secondly, the static semantics uses the notion of capture-avoiding substitution: I use the 
metavariable 7 to stand for an arbitrary mapping from constructor variables to arbitrary con¬ 
structors and from term variables to term values. The notation 7 (phrase) is used to represent the 
result of applying 7 to all free variables in the phrase phrase. The substitution which sends a to A 
and leaves all other variables unchanged is written [A/a), and [v/x] is define analogously. If 7 is a 
substitution, then ~f{ae^A] stands for the mapping which sends a to A and behaves like; 7 for all 
other variables; the notation 7(2:1— )-v\ is defined analogously. 

2.2.1 Typing Contexts 

A typing context F (or simply context when this is unambiguous) represents assumptions for the 
types of free term variables and for the kinds of free constructor variables. It is represented as a finite 
sequence of variable/classifier associations. Typing contexts in MIL 0 are intrinsically sequences 
because of dependencies introduced by singletons: both types and kinds can refer to constructor 
variables appearing earlier in the context, while types can additionally refer to term variables 
appearing earlier in the context. 

The context validity judgment determines when a context is well-formed: every type or term 
appearing in the context must be well-formed with respect to the preceding segment of the context. 
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FV(T) 

FV(S(i4)) 

FV(n ar.K'.K") 
FV(S ar.K'.K”) 

FV(A) 

FV(o) 

FV(A a::K.A) 
FV(>1 A') 

FV((j4', A")) 

FV(t XiA) 

F V(Ty(A)) 

FV(S(v : r)) 
FV(Va::K.r) 

FV((x:t')xt") 

F V(n) 

FV(s) 

FV(fun fix-.T'y.r" i 
FV (A(a::K):r.e) 
FVfcv) 

F V({v',v")) 

FV(W) 

FV(v,4) 

FV(let x:T r =e' in 


= 0 

- FV( J 4) 

:= F V(K') U (F V{K") \ {a}) 
= FV(iF') U (F V{K") \ {a}) 


= 0 

= w 

= F V(K) U (FV(j 4) \ {a}) 
= FV(A) U FV(A') 

= FV(j4') U FV(A") 

= F V(A) 

= FV(A) 

= FV(v)UF V(r) 

= FV(iF) U (FV(r) \ {a}) 
= FV(r') U (FV(r") \ {a;}) 
= FV(r') U (FV(t") \ {*}) 


:= 0 
:= {a;} 

> e) := FV(r') U (F V(t") \ {x}) U (FV(e) \ {*, /}) 
:= FV(FT) U (FV(r) \ {a}) U (FV(e) \ {a}) 

:= FV(v) 

:= FV(w') U FV (v") 

:= FV(v) U FV(w') 

:= FV(«) U FV(;4) 

: r end) := FV(r') U FV(e') U (FV(e) \ {x}) U FV(r) 


Figure 2.3: Free Variable Sets 
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r \-k 


(a £ dom(r)) 


( 2 . 2 ) 


r, a::K \~ ok 


T h r 

T , x:t \~ ok 


(x $ dom(r)) 


(2.3) 


The side-condition in Rules 2.2 and 2.3 ensures that variables are not bound in a context more 
than once. It follows that well-formed typing contexts can also be viewed as finite functions: r(«) 
represents the kind associated with a in F, while r(:r) represents the type associated with x in T. 
Similarly, the notation dom(r) is used to represent the set of all constructor and term variables 
bound by T. The free variables of a context, FV(T), can then be defined inductively as follows: 


FV(#) := 0 

FV(r, a::K) := FV(r) U (FV(tf) \ dom(r)) 
FV(F, x:r) := FV(r) U (FV(r) \ dom(F)) 


Because contexts are finite sequences, there is an obvious definition for appending any two contexts. 
The result of appending T\ and T 2 is written T i, r^. 

A similar set of inference rules gives a notion of definitional equivalence for two contexts. 


h • = • 


(2.4) 


H £i = r 2 Ti h Ki = K 2 
h Y\.a\:K\ = Yz-or.-.Ki 


(« 0 dom(ri)) 


I- £i = r 2 £i h ti = r 2 

h ri,x:n = Y 2 ,x:t 2 


(x £ dom(r])) 


(2.5) 


( 2 . 6 ) 


It is obvious that any two equivalent contexts bind the same variables in the same order. I show 
later that if two contexts are equivalent then they are both well-formed and they are interchangeable 
in any declarative judgment. 


2.2.2 Kinds 

The kind validity judgment specifies when a kind is well-formed with respect to a given typing 
context. The kind T is the kind of all “ordinary” type constructors; that is, the kind of type 
constructors corresponding to some type. 


rhok 

TTY 


(2.7) 


The premise of Rule 2.7 ensures that in any proof of 1' i K there is strict subderivation proving 
T h ok. A similar property holds for all of the judgments defined in this chapter; I show this in 
§3.1. 

Well-formed MILo singleton kinds are restricted: they may only contain constructors of kind 
T. The kind annotation is therefore omitted from the syntax, as it would always be T. 


rh A :: T 

r h s(A) 


( 2 . 8 ) 
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♦ 


ft 


However, general singleton kinds S(A :: if) as described in the introduction are definable (see 

§2.3). 

The rules for n and E kinds (dependent function kinds and dependent pair kinds) are essentially 
standard. 

r,a::if'b if" 

r k na::ir.ir' ^ 2 ' 9 ^ 


r, a::K' b K" 
r b Y,a::K'.K" 


( 2 . 10 ) 


n a::K f .K n is the kind of all functions which map an argument a of kind K f to a result of kind 
if", where if" may depend on a. Similarly, Eauif'.if" is the kind of all pairs of constructors whose 
first component a has kind K f and whose second component has kind if", where if" may refer to 
a. Both na::if'.if" and Ea::if'.if" bind the constructor variable a in if". I use the usual notation 
if'xif" for Ea::if'.if" and if 7 —>if" for na::if'.if" in those cases where a does not appear free in 
if". 

Frequently one might see an additional premise T h if' in these two rules, but as MILo is defined 
this is already implied by the existing premise. 


The subkinding judgment T \~ K\ < if 2 defines a preorder on kinds, which may be intuitively 
understood to say that ifi is more precise (exposes more information about a type constructor) 
than if 2 . It will follow that any constructor of kind ifi will be acceptable in a context requiring a 
constructor of kind if 2 . 

Intuitively, since S (A) represents “the kind of all constructors of kind T equivalent to A”, any 
constructor of this kind should be acceptable where a constructor of kind T is expected. Thus the 
key subkinding rule is: 

T h A :: T 

r b S (A) < T v ' 

The premise of this rule ensures that S(A) is well-formed. 

Subkinding between two singleton kinds coincides with equivalence 


T h Ai - A 2 :: T 

ri-s(Ai) < s(a 2 ) 


( 2 . 12 ) 


because a constructor of kind T equivalent to A\ can be equivalent to A? if and only if A\ and A 2 
are equivalent to each other. 

The following rule is required for subkinding to be reflexive. 


rhok 

r P t < t 


(2.13) 


The remaining subkinding rules lift the relation to II and S kinds, following the usual co- 
and contravariance properties. (The first premise in each of the following two rules ensures that 
T H Ki < K 2 implies r h K x and Y h K 2 .) 


T h 

T\-K' 2 <K[ T, a::K' 2 b K'{ < K% 
T b Ua::K[.K'{ < Ha::K' 2 .K% 


(2.14) 
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(2.15) 


T b E(r.:K' 2 .K% 

r b K[ < K! 2 r, n::K[ b AT" < K" 
D- En::K[.K[' < S nv.K^.K^ 


Kind equivalence , denoted T h A'] = AV is essentially a symmetrized version of subkinding. 
I show later that. T b K\ = K 2 if and only if T b K < K> and T I- K 2 < K\ ■ and a reasonable 
alternative presentation of the system would make this the definition of kind equivalence. 


Tbok 

r h t = t 


(2.16) 


r b Ai = A 2 :: T 
r h s(A,) = s(a 2 ) 


r b Yln::K' 2 .K" 

r b K[ = K' 2 T, a::K[ b K" = K 2 
F b Yla::K[.K[ = Ua::K' 2 .K^ 

T b E«::A^.A" 

r b K[ = K' 2 r, a::K[ (- K" = K" 
r b Ea::K[.K[' = En::K' 2 .K^ 


(2.17) 


(2.18) 


(2.19) 


2.2.3 Type Constructors 

The constructors include names for base types, all with kind T 


Tbok 


b € { Int, Boxedfloat, Char,...} 


T b b :: T 

and constants for creating product types and function types: 


Tbok 

fb x :: T—>(T—>T) 


( 2 . 20 ) 


( 2 . 21 ) 


Tbok 

fb-:: T—>(T—>T) 


( 2 . 22 ) 


Applications of these constants to two arguments will be written in the usual infix manner, A\ xA 2 
and A\—^A 2 - 

As constructors form a A-calculus, there are variables, functions mapping constructors to con¬ 
structors, and applications of such functions. 


Tbok 

F b a :: T(o) 


(« € dom(r)) 


T,a::K' b A :: K" 
r b Xnv.K'.A :: Ho::A'.A"" 


(2.23) 

(2.24) 
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r h A :: K'->K" 


r I -A':: K' 


rh A A' ::K" 


(2.25) 


Since the constructors form a dependently-typed A-calculus, the formulation of Rule 2.25 (which 
permits only applications of functions with non-dependent types) may appear surprisingly restric¬ 
tive. However, a consequence of having singleton kinds is that this rule implies the more traditional 
formulation allowing dependencies, which becomes admissible (see §2.3). 

Similarly one can form pairs of constructors, and perform projections from such pairs. 


T h A 1 :: K' T b A" :: K" 


{A', A' 1 


K'xK" 


r b A :: 'La::K'.K" 
r h 7ri^4 :: K' 

T\-A:: Za::K'.K" 

T I- 7T2^4 :: [:KiA/a\K" 

Next, there is an obvious introduction rule for singletons. 

rhi::T 

Phi:: 3(A) 


(2.26) 


(2.27) 


(2.28) 


(2.29) 


The following two rules are somewhat unusual; they can be considered as reflexive instances of 
extensionality (see Rules 2.41 and 2.42 below). 


T h tt x A :: K' T \-tt 2 A ::_K" 
r h .4 :: K'xK" 

T,a::K' \-Act :: K" 
T\~A:: n ay.L'.L" F h K' = V 

Phi:: Ua::K'.K” 


(2.30) 


(2.31) 


Intuitively, Rules 2.30 and 2.31 say that “a constructor has every kind that its eta-expansion 
does”. In most dependently-typed calculi such rules would be admissible and not part of the 
system’s definition. However, here they allow constructors to be given strictly more precise kinds. 
(They also ensure that kinds are preserved under ^-reduction.) For example, assume that a::TxT. 
In the absence of Rule 2.30, the most precise kind for a which can be shown is: 

a::TxT ha:: TxT 


However, using Rule 2.30 one can conclude 

a::TxT ha:: S(7ria)xS(7 r2a). 

This says that a has “the kind of pairs whose first component is equal to the first component of a 
and whose second component is equal to the second component of a ”. This is a much more precise 
and informative kind than TxT. In fact, by extensionality the only pair with this kind is a itself, 
so that this kind can be considered an encoding of S(a :: TxT). These rules are therefore critical 
for encoding singletons of arbitrary constructors (in §2.3). 
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I believe that last two premises in Rule 2.31 could be replaced by the much simpler side- 
condition a $ FV(A), but I then become unable to show the existence of principal kinds in §4.2. 
The formulation here makes explicit that Rule 2.31 yields more-precise II kinds for constructors only 
by making the codomain more precise, rather than by weakening the domain kind. For the purposes 
of principal types this could be expressed more directly with the single premise T b A :: Ha::K r .L ff , 
but the two-premise form here is more convenient in Chapter 3. 

Rules analogous to 2.30 and 2.31 have frequently appeared in literature studying Standard ML 
modules, including the non-standard structure-typing rule of Harper, Mitchell, and Moggi [HMM90], 
the VALUE rules of Harper and Lillibridge’s translucent sums [HL94], the strengthening operation 
of Leroy’s manifest type system [Ler94], the “self* rule of Leroy’s applicative functors [Ler95], and 
the REFL rule of Aspinall [AspOO]. 

Subkinding is used by the subsumption rule: 


r F A :: Ki T h K ] < K 2 
r h A ::K 2 


(2.32) 


Constructor equivalence defines a notion of equality (interchangeability) for type constructors. 
The judgment T h A\ = A 2 :: K expresses the fact that A\ and A 2 are equivalent constructors 
of kind K under context F. Whether T F A\ = A 2 :: K is provable depends not only on A\ and 
A 2 , but also on the kinds of their free variables (given by T) and the kind K at which the two 
constructors are being compared. Equivalence is highly context-sensitive. 

Equivalence is first defined to be a reflexive, symmetric, and transitive relation: 


Th A::K 
Fh A = A ::K 


(2.33) 


r h A 2 = A\ :: K 
rh A x =A 2 -.:K 


(2.34) 


r I- Ax = A 2 :: K T h A 2 = A 3 :: K 
Th A) = / 4 3 :: K 


(2.35) 


Next, the relation is specified to be a congruence: replacing subparts of a constructor with 
equivalent parts yields an equivalent constructor. 


r b K[ = K ' 2 r, cr.:K[ h A x = A 2 :: K" 

T h A a::K[.Ai = A a::K! 2 .A 2 :: n a::K[.K" 

r b A x = A 2 :: K'->K" T h A\ = A! 2 :: K' 
r I- Ay A\ = A? A' 2 :: K 7 ' 

T\- A x = A 2 :: S ar.K’.K" 
r h ~tt\A\ = TTi^ :: K' 

r b A] = A 2 :: E ay.K'.K" 

r h -k 2 A\ = 7r2v42 :: [ttiAi/q]K" 


(2.36) 

(2.37) 

(2.38) 

(2.39) 
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(2.40) 


r b A[ = A' 2 :: K' 
r b A'{ = A” :: K" 

rH(4,<) = (A',A") :: K'xK" 

There are two extensionality rules: if two functions or two pairs cannot be distinguished by 
their uses then they are considered equivalent. In particular, two pairs are equivalent if they have 
equivalent first and second components 

F h tti^i = 7 Ti ^42 :: K' 

r h 7T2^4l = 7T2^2 " K" 

--- — _ (2 411 

rh A x = A 2 ::K'xK" K ' ’ 


and two functions are equivalent if they return equivalent results for all arguments: 

r,a::K'\-A 1 a = A 2 a:: K" 

T h Ai :: Ua::L' v L'l T b K' = L\ 
r I- ^2 :: n a::L' 2 .L^ V b K' = L ' 2 

rhijEij:: Ila::#'.#" 


(2.42) 


The last four premises in Rule 2.42 ensure that both A\ and A^ actually have kind Ua::K'.K". If 
Rule 2.31 were simplified as discussed above then this rule could be simplified in analogous fashion 
with the side condition a $ (FV(v4i) U FV(^42))- 

As in the well-formedness rules, there is a subsumption rule: 


r b Ai = A 2 :: Ki T h K x < K 2 
r h Ai = A 2 :: Ki 


(2.43) 


Interestingly, an easy inductive argument shows that the rules given so far merely define con¬ 
structor equivalence to be syntactic identity (up to renaming of bound variables). All the rules 
except for Rule 2.33 would then appear redundant. Adding one more rule makes this equivalence 
non-trivial, and justifies the presence of each of the above rules: 

T\- A:: S (B) 

rh A = R:: S (B) 

This completes the definition of constructor equivalence. It may be initially surprising that 
there are no equivalence rules for reducing function applications or projections from pairs (i.e., ,0- 
like rules). It turns out that these are admissible in the presence of singleton kinds and Rule 2.44. 
The details are in §2.3 and §3.3, but I sketch one example here. It is clear that 

h (Int, Boxedfloat) :: S(lnt) xS(Boxedfloat) 

Therefore by Rule 2.27 it follows 


h 7Ti(lnt, Boxedfloat) :: S(lnt) 
and by Rule 2.44 and subsumption we have 

b 7Ti(Int, Boxedfloat) = Int:: T 
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This same argument can be generalized to projections from arbitrary pairs, and in an analogous 
fashion to applications of A-abstractions. 

Given the /3-rules, then, the extensionality rules 2.42 and 2.41 imply that the usual //-rules are 
admissible as well. It is well-known that //-reduction is not. confluent in the presence of terminal 
(unit) types. As singletons are a generalized form of unit, the same behavior appears here as well. 
For example: 

a : T-tS(lnt) F a = (A/3::T.lnt) :: T-tT 

holds, as does 

o : S(lnt)-»T F « = (A/3::S(lnt).(« Int)) :: S(lnt)->T 

All the constructors in these judgments are normal with respect to /^/-reduction; compare the 
right-hand constructor in the last judgment with A/3::S(lnt).(o /3), the //-expansion of a. 

A more obvious consequence of having singletons — and their original motivation — is that 
they can be used to express definitions for variables. For example, in the following two judgments 
the context effectively defines a to be Int. 

« : S(lnt) I- a = Int:: T 
« : S(lnt) h (a, Int) = (lnt,«) :: TxT 

But the system is not restricted merely to giving definitions to variables. In the provable judgment, 

a : TxS(lnt) F 7 P 2 O = Int :: T 

the context, partially defines o; it, is known to be a pair and its second component, is (equivalent 
to) Int, but, this does not, give a definition for o as a whole. Alternatively, this could be thought, of 
as giving 7^0 the definition Int without giving one to 7Tio. 

Similarly, in the provable judgments 

a : E/?::T.S(/?) F 7 TiO = 7:20 :: T 
o : E/3::T.S(/3) F « = (7Tio,7 T]o) :: TxT. 

the assumption governing o requires that it be a pair whose first component, /3 has kind T and 
whose second component is equal to the first; that is, a pair with two equal components of kind 
T. This gives a definition to 7 / 20 , namely 7Ti«, without, further specifying the contents of these two 
equal components. 

Now because of subkinding and subsumption, constructors do not have unique kinds. The 
equational system presented here has the relatively unusual property (for a system expected to be 
decidable) that, equivalence of two constructors depends on the kind at, which they are compared. 
Two constructors may be equivalent at one kind but not. at, another; for example, one cannot, prove 

F Ao::T.a = A«::T.lnt::T—»T. 

This is fortunate, as the identity function for constructors of kind T and the function constantly 
returning Int do have distinct, behaviors and ought not be equivalent in a consistent equational 
theory. However, by subsumption these two functions both have kind S(lnt)—>T and the judgment 

F AouT.o = Ao'uT.Int :: S(lnt)—»T 
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is provable. The proof uses extensionality and the fact that the two functions provably agree when 
restricted to an argument of kind S(lnt), i.e., when applied to the argument Int. 

The classifying kind at which constructors are compared may depend on the context of their 
occurrence. For example, it follows from the previous equation and Rule 2.37 that 

0 : (S(lnt)—>T)-*T b 0 (Xa::T.a) = 0 (Aa::T.lnt) :: T 

is provable. The kind of 0 guarantees that it will only apply its argument to the constructor Int, 
so it cannot matter whether 0 is given Xar.T.a or Aa::T.lnt. 

In contrast, the following judgment is not provable: 

0 : (T-Vrj->T b 0 (Xa::T.a) = 0 (Aa::T.lnt) :: T 

because the context makes a weaker assumption about 0. 

2.2.4 Types 

The constructors of kind T correspond to types; there is an explicit inclusion Ty(-) mapping each 
such constructor to the corresponding type. 


F h 4 :: T 
r b Ty(A) 


(2.45) 


I will use int as an abbreviation for the type Ty( Int), boxedfloat to abbreviate Ty(Boxedfloat), 
and similarly for the other primitive constructors. 


As discussed in the introduction, singleton types are restricted to contain only syntactic values. 
The representation of labeled singletons via encodings, as is done for kinds in §2.3 below, does not 
work for terms due to the lack of extensionality principles. Because for inlining purposes I need 
singletons at non-base type, labeled singletons types are made primitive: 


T b v : r 

r - ^ (r not a singleton) (2.46) 


Rule 2.46 prohibits the type label in a singleton from being yet another singleton type. So, for 
example, 

S((Ax:int.3) : int“^S(3 : int)) 
is well-formed, but the following type is not: 


S((A:r:int.3) : S((A#:int.3) : int—^S^ : int))). 


The property of a type not being a singleton is preserved under the important operations of substi¬ 
tution and head-normalization. Also, because of predicativity it is clear from the rules below that 
singleton types are equivalent only to other singleton types; see Theorem 6.2.2. This restriction 
could be formalized syntactically by defining a grammatical class of non-singleton types, but in this 
case I have opted for syntactic simplicity. 

This restriction is reasonable because a well-formed type S(v\ : S(v 2 : r)) contains no more 
information than is already contained in S(tq : r) or S(u 2 : r). At first it might appear that a 
typing assumption £:S(ui : S(t >2 : r)) would be equivalent to assuming that V\ and v<i are equivalent. 
However, in order to make such an assumption it must be possible to show that S(^i : S (^2 : t)) is 
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well-formed, and in particular that without the new assumption one has v\ : S(v 2 : r), i.e., that iq 
and V 2 are equivalent at type r. Thus nested singletons impart no useful information. 

Allowing directly nested singletons would have the further consequence that the constant 3 
would naturally have the types S(3 : int) and S(3 : S(3 : int)) and S(3 : S(3 : S(3 : int))), and so on. 
By the “obvious” subtyping rules these would form an infinite strictly decreasing chain of subtypes, 
even though none of these types are really more informative than any of the others. (These types 
all classify exactly the same set of values, namely the set {3}.) Furthermore there would be no 
lower bound to this sequence of types: the system would fail to have principal (most specific) types 
for all terms. 

Aspinall [Asp95] addresses this problem by defining all the types in such a chain to be equivalent: 
S(v : r) = S(t> : S(t> : r)). By disallowing directly nested singletons, I avoid a need for this rule. 
This has the advantage of allowing a much simpler inversion principle for equivalence of singleton 
types: if two singleton types are equivalent then their type labels are equivalent. (This principle is 
clearly false in AspinalFs system. It also fails for the encoding of labeled singleton kinds, but the 
proofs use inversion only for the kinds of the official MILq language.) 


Because of singleton types, the types classifying functions and binary products are extended to 
dependent forms: 


T, x:r' h r n 
r h (.7 


(2.47) 


r \x:t‘ h t" 
r h (a;:r')xr" 


(2.48) 


Such types are written and t'xt" when there is no actual dependency. 

Finally, MILq contains the types for polymorphic terms, functions whose argument is a con¬ 
structor. 


T, a::K b r 
r h \/a::K.r 


(2.49) 


Note that in this predicative system there are no type constructors corresponding to singleton 
types, truly dependent function or pair types, or to polymorphic types. 


Type equivalence is, like constructor equivalence, reflexive, symmetric, transitive, and a congru¬ 
ence. 


T F r 
T h r = t 

r h t' = t 

I>TE T f 

r h r = r f r f t' = T " 
r h r = r" 


(2.50) 

(2.51) 

(2.52) 


r h Ai = A 2 :: T 
rb Ty(A x ) = Ty(A 2 ) 


r b v\ = v 2 : T\ T b T] = t 2 
r b S(wi : Ti) = S (v 2 : t 2 ) 


(t i , t 2 not. a singleton) 


(2.53) 

(2.54) 
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(2.55) 


r (- r{ = t 2 T, x:t[ b r" = r" 

T b (a::r()—= {x:t' 2 )-^tI[ 

Y\~ t[=t 2 Y,x:t[\-t'{ = t!1 

T b (x:r()xr(' = (x:t 2 )xt 2 

YYK 1 =K 2 Y,a-.:K X \- t x = t 2 

r b Va-Kx-ri =Va::K 2 .T 2 


(2.56) 


(2.57) 


Finally certain constructors correspond to (non-dependent) pair types and (non-dependent, 
non-polymorphic) function types. 


r b A x :: T Y b A 2 :: T 
YhTy(A 1 xA 2 ) = Ty(A\)x Ty(A 2 ) 

fbd! ::T Y\~A 2 ::T 


(2.58) 


(2.59) 


r b Ty(A x ^A 2 ) = Ty{A x )^Ty(A 2 ) 

These rules are necessary for polymorphism to be useful in this predicative type system. For 
example, consider the polymorphic identity function 

id : \/a::T.Ty(a)-^Ty{a). 

To apply this function to a pair of integers requires polymorphic instantiation (i.e., an application 
of id to a constructor argument). The only reasonable argument here is Intxlnt, so we have 

id(lntxlnt) : T?/(lntxlnt)—^^(Intxlnt). 

But by the typing rules below, a pair of integers does not have type Ty(Intxlnt) but instead has 
type Ty (\nt) x Ty( Int), i.e., the type of a pair whose elements are of type Ty (\nt). Rule 2.58 is then 
necessary to permit an application like (id (Intxlnt)) (3,4) to typecheck. 

Subtyping is reflexive and transitive, and is a strictly weaker relation than equivalence. 

r b r = t ' 


T b r < t' 

r b T < T 1 y b T 1 < T" 
r b r < r" 


(2.60) 


(2.61) 


One can obtain a supertype of a singleton type by either dropping the singleton (as at the kind 
level), or by weakening the type label. 


T b v : T 


rhS(ti:r)<T 


(t not a singleton) 


r b s(m : n) 

Y\- vi=v 2 : t 2 r b r\ < t 2 
r b S(ui : Ti) < S(v 2 : t 2 ) 


(ri , t 2 not a singleton) 


(2.62) 


(2.63) 
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Subtyping is lifted to functions, pairs, and polymorphic types in the usual co- and contravariant 
manner. 


-1 

T 

Ja. 

X 


r h t ' 2 < t[ r, x:t ' 2 h if < 

r h < (x 

(2.64) 

T h (j::f xf 


r h r{ < r, x:t\ h t[' < t'{ 

rh < (x:r')xf 

(2.65) 

T h .rj 


rh K 2 <Ki r,a::K 2 h n < r 2 

(2.66) 

T b Ma:\K\.T\ < 'iawKz-T'i 


Because the system is predicative, there is no difficulty arising from the contravariant subkinding 
for the domains of universally quantified types as can sometimes arise when polymorphism and 
sub typing are combined [Pie91]. 


2.2.5 Terms 

The well-formedness rules for the term language are mostly standard. The language has been 
restricted to a “named” form where intermediate quantities are bound to variables [FSDF93]. Note 
that projections from values are considered to be values: for the system to be useful it is necessary 
that projections from variables be values so that they may appear in singletons, and we wish terms 
to remain well-formed under substitutions of values for variables. 


Tbok 
T b n : int 


(2.67) 


Tbok 

r\~x: F(x) 


( 2 . 68 ) 


Function values are potentially recursive. Within the body e of the function fun f(x:r):r f is e 
the variable x refers to the function argument and / refers to the function itself; the result type r' 
may also depend on x. 


r J:(x:t')-±t",x:t / b err" 

T b fun f(x:r'):r ff is e : (x:r , )-^T ff 


(2.69) 


When the function fun/(rE:r'):T ,/ is e is non-recursive (i.e., / 0 FV(e)) then it can be written as 
A (x:r f ):T ,f .e, or even A x:r'.e when the return-type is obvious or irrelevant. 

Type abstractions are also annotated with a return-type. This accurately models the full MIL 
(where the notions of type and term abstractions are merged) and simplifies the correctness proof 
for my typechecking algorithm. 


r, a::K he:r 
r b A(a::K):T.e : Var.K.r 


(2.70) 
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4 


r h v\ : T\ r h «2 : T 2 
r h (vi, V2) : Tl XT2 

Fh«: (x:t')xt" 

T h 7TiV : t' 

T h v : ( x:t')xt" 

T h n2V : [ttiv/x]t" 

n-w: t '^ t " rhv':r' 

T h v v' : t" 


(2.71) 

(2.72) 

(2.73) 

(2.74) 


r h v : Vay.K.r T\~A::K 
r h u j 4 : [_A/a]r 


(2.75) 


Every let-expression be annotated with two types: the type of the locally-defined variable, and 
the type of the entire let-expression. 


T b e' : r' T, x:r f b e : r T h r 

- ? -- (2.76) 

T b (let x:r= e in e : r end) : r 

The former annotation is used to simplify the typechecking algorithm; it would be preferable 
if this were not needed. The latter type is used to ensure easy calculation of principal types for 
let-expressions. In the TILT compiler, let is used only in specific positions (i.e., the body of a 
function or the arms of a conditional expression) which for other reasons are already annotated 
with their types, so the presence of the body annotation in the MILo is reasonable. 

Values are given singleton types via the following singleton introduction rule. 


T b v : r 
T b v : S(v : r) 


(r not a singleton) 


Finally, subtyping is used by the subsumption rule. 


(2.77) 


F b e : ri F b ti < T 2 
T b e : 72 


(2.78) 


The following definition of term equivalence is the strongest equivalence relation (relating fewest 
terms) that seems useful for the purposes described in the introductory chapter. 


T b e : t 
Fbe = e:r 

T b e f = e : r 
T b c = c' : r 

r b e = e' : r r b e' = e” : r 
T b e = e n : r 


Again, equivalence is a congruence: 


(2.79) 

(2.80) 
(2.81) 
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(2.82) 


r I- T[ = t ' 2 Y,x\t[ b rj_ = t[ r, /, x:t' h ei = e 2 : t" 
F b fun f (x:t[):t" is e\ = fun f(x:r 2 ):T 2 is e 2 ■ (®:r{)—‘r" 

F b A'i = b T\ = t 2 T, a::Ki h ej = c 2 : rj 

F h k(a:\K\):T\.e\ = A{a::K 2 )'.T2.e.2 : Va::K\.T\ 

r b v\ = v 2 : r' T I- ?// = v" : t" 

T b (?;,,?;") = (v! 2 ,v") : t'xt" 

T ht)| = v 2 '■ (x:t')xt" 

r b TT\V] = 7Tj?)2 : T 1 

T b V] = v 2 : (x:t')xt" 
r b TT 2 Vl = TT 2 V 2 : [7T] Vl/x]r" 

r b v\ = v 2 : r b 1/ = ?;(, : r ; 

T b v\ v\ = v-2 v' 2 : t" 

T b Ui = v 2 ■ Va::K.r Tbii = A 2 :: K 
T b v\ A\ = v 2 A 2 : [A\Iol]t\ 

rb t[=t ! 2 rb e\=e' 2 :r[ 
r b n = r 2 T, x\t[ \- e\ = e 2 : t\ 

T b (let x:r[—e\ in e\ : T\ end) = (let x:T 2 =e ' 2 in e 2 : r 2 end) : T\ 

As at the constructor level, there is a singleton elimination rule for equivalence. 

r b t>i : S(« 2 ■ t) 

T b Vi = v 2 : S(u 2 : r) 

Finally there is a subsumption rule. 

r b e\ = e 2 ■ T\ r b T\ < r 2 
r b ei = e 2 : r 2 


(2.83) 

(2.84) 

(2.85) 

( 2 . 86 ) 

(2.87) 

( 2 . 88 ) 

(2.89) 

(2.90) 

(2.91) 


2.3 Admissible Rules 

This section lists a number of interesting or useful rules which become admissible in the presence 
of singletons. The proofs of admissibility are deferred until §3.3. 

In MILo, the kind S(A) is well-formed if and only if A is of the base kind T. This initially 
seems restrictive, especially when compared with singleton types which can contain values of any 
(non-singleton) type. One might expect to find singleton kinds of the form S(A :: K) representing 
the kind of all constructors equivalent to A when compared at kind K , for example to encode 
definitions of constructor-level functions. However, these labeled singletons are definable in MILo; 
Figure 2.4 defines these by induction on the size of the kind label. 

For example, if f} has kind T->T, then S(/3 :: T—»T) is defined to be IIa::T.S(/?o;). This can 
be interpreted as “the kind of all functions which, when applied, yield the same answer as ft does”, 
or “the kind of all functions which agree pointwise with /?”. By extensionality, any such function 
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S{A :: T) := S{A) 

S(A :: S(^')) := S(A) 

S(A :: Ua::Ki.K 2 ) := na::]fi.(S(i« :: K 2 )) 

S (A :: Vav.Ki.Kt) := (S(mA :: Ki))x(S(7r 2 A :: [tti A/a]K 2 )) 


Figure 2.4: Encodings of Labeled Singleton Kinds 


9 


is provably equivalent to ft, and indeed the non-standard kinding rules mentioned in §2.1 are vital 
in proving that ft has this kind. 

Since kinds only matter up to equivalence, the definitions in Figure 2.4 are not unique. One 
could, for example, define S(A :: S(A')) to be S(-4'), or define S(A :: Vav.K 1 .K 2 ) to be Ea::S(7riA :: 
Ki).S(tt 2 A:: K 2 ). 

The following rules are admissible, showing that the defined singleton kinds do behave appro¬ 
priately. 


Th A::K 
f F 3{A :: K) 

Th A::K 
r h 4 :: S(j4 :: K) 

T\~A::K 
T F S(A ::K)<K 


(2.92) 

(2.93) 

(2.94) 


r F Ax = A 2 :: Ki T h K x < K 2 
F h S(A X :: Kft < S(A 2 :: K 2 ) 

rh Ax = A 2 :: K 
r F Ai = A 2 :: S(^i :: K) 


(2.95) 

(2.96) 


r FA 2 ::K r h A! :: S(A 2 :: K) 

T\-Ai = A 2 v. S(A 2 ::K) [ ’ ’ 

Note that F F S(/l:: K) need not imply T F A :: K. (For example, according to Figure 2.4 we 
have S(Boxedfloat :: S(lnt)) = S(Boxedfloat), and therefore F S(Boxedfloat :: S(lnt)) even though 
Boxedfloat cannot be shown to have kind S(lnt). This explains the premise T F A 2 :: K in Rule 2.97. 


Next, we have versions of existing rules allowing dependencies where the primitive rules require 
non-dependent types or kinds. (For example, compare Rules 2.25 and 2.98, or Rules 2.26 and 2.100.) 


r F A :: n av.K'.K" T F A! :: K' 
rFii':: [A'/a]K" 

r F Ai = A 2 :: Ylav.K'.K" T F A[ = A' 2 :: K' 
fF4i a; = A 2 A! 2 :: {A[/a}K" 


(2.98) 

(2.99) 
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( 2 . 100 ) 


T h E n-.-.K'.K" 

r h A' :: K' Y h A" :: [yT/«]K" 
r H {A', A”) :: Yny.K’.K" 

r h E n-.-.K'.K' 1 
Y h A\ = A' 2 :: K' 
ri -A'[ = A^:: [A\/a]K" 

T h {A\,A'[) = (A(>, A") :: E av.K'.K" 

T h E nr.K'.K" 

T h ttiAi = TT]A’2 :: K' 

Y I- 7T2^4] = 7T2^2 :: [7TJ Al /rvJ/sT" 

r h ,4, = A 2 :: EaaAT'.A'" 

r h ?k ( x : t ')-^ t " T h d' : r' 

r h vv' : 

T h = ^2 : T h i>j = ?;(, : t' 

rh«| v[ = v 2 v ' 2 : [?/] /x]t" 

r h ( x : t ') xt " 

rhi/:r' r h t>" : [«'/*]/' 

rh («',«") :: (rr')xr" 

T h ( x : t ') xt " 
r h w'j = v' 2 : r 

r h < = v" : [w'/ajr" 
rh(«i,<) = (^,^):(*:r')xr w 


( 2 . 101 ) 

( 2 . 102 ) 

(2.103) 

(2.104) 

(2.105) 

(2.106) 


Next, a remarkable observation of Aspinall [Asp95] is that the /3-rule for function applications 
can be admissible in the presence of singletons. In MILo, which contains pairs, the projection rules 
become admissible as well. 


Y,a::K' h A :: K" Y h A' :: K' 
r b (A ar.K'.A) A' = [A'/a]A :: [A'/a]K" 


(2.107) 


r h Ai :: Ki r h A 2 :: K 2 

FT^iA^A^A, ::K! 


(2.108) 


r h Ax :: K x Y h A 2 :: K 2 


Y I- / k 2 (A\,A 2 ) = A 2 ::K 2 


(2.109) 


/3-equivalence for functions is admissible at the constructor level, but not at the term level; this 
is a consequence of term applications being non-values. (It is easy to prove that /3,.-equivalence 
for terms is not admissible. The defining rules of term equivalence only equate values to values 
or non-values to non-values; in contrast, //-equivalence can equate applications with values.) The 
projection rules for term-level pairs remain, however. 
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( 2 . 110 ) 


r h t>i : 71 r h V 2 : r 2 
T h ni(vi,V2) = vi : t\ 

rh«i:n r b v 2 : 72 

T b n 2 (vi,V2) = v 2 :t 2 

It is occasionally convenient to have “parallel” versions of these equivalences: 

T, a::K' b Ai = A 2 :: K" T b A[ = A ' 2 :: K' 

T b (Xa::K'.A 1 )A[ = [Aya]A 2 :: [A\/a\K" 

. r b Ai = A[ :: K x T b A 2 :: K 2 
rbTn {A U A 2 ) = A ! 1 ::JSTi 
r b Ai :: Ki r b A 2 = A ' 2 :: X 2 
rbTrz^!,^)^^::^ 
r b «i = v [: n r b v 2 : r 2 
r b 7Ti (vi,v 2 ) = v [: n 


( 2 . 111 ) 

( 2 . 112 ) 

(2.113) 

(2.114) 

(2.115) 


r b v\ : ti T b v 2 = Wo : r 2 

--- —— - (2.116) 

r b 7 T 2 ( ui , V 2 ) =v 2 :t 2 

In the presence of both ^-equivalence and extensionality, r/-rules for functions and pairs become 
admissible as well. 


rbd:: n ar.K'.K" 

F\~ A = Xa::K'.{Aa) :: Ucr.-.K'.K" 

r b A:: E a::K'.K" 
r b A = J^A^A) :: E av.K'.K" 


(2.117) 

(2.118) 


Finally, I give variants of the introduction and elimination rules for singleton kinds and types: 


T\-A = B::T 
T b A :: S (B) 

T\-A = B::T 
r b A = B :: S(i4) 

r b ^4 :: S(B) 
rb^ = B::T 

r b v = w : t 
T b w : S(w : r) 


T b Vi = n 2 : r 
r b Vi = «2 : S(ui : r) 

r b Ui : S(u 2 : t) 


(r not a singleton) 


r b Ui = «2 : T 


(2.119) 

( 2 . 120 ) 
( 2 . 121 ) 
( 2 . 122 ) 

(2.123) 

(2.124) 
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2.4 Dynamic Semantics 


I give the operational meaning of a program in terms of a small-step contextual semantics: the 
dynamic semantics defines the possible execution steps ey e 2 for programs (closed terms), and 
evaluation of a program corresponds to taking an execution step until no more steps apply repeat¬ 
edly. 

The evaluation strategy used by MILq for both constructors and terms is left-to-right call-by- 
value. Furthermore, constructors are evaluated as well as ordinary terms. (For MILo as presented 
this is not actually necessary; this choice was made in preparation for adding constructor analysis 
constructs such as typecase to the language; type and kind annotations on terms, however, never 
require evaluation.) This requires a notion of fully-evaluated constructors and terms, denoted A 
and v respectively 

A ::= cA\ • • • A n (n > 0) 

I (AuM) 

| Xav.K'.A 

v ::= n 

| fun f(x:r f ):r n is e 

| A (a::K):r.e 

I (V},V 2 ) 

Since evaluation concerns only closed terms and types, variables and projections are need not be 
included here. 

The operational semantics uses Felleisen’s evaluation context formulation [Fel 88 ] of Plotkin’s 
structured operational semantics (SOS) [PI 08 I]. This involves the definition of a collection of 
primitive “instructions” (denoted I) and their one-step reducts (denoted /?). The relation between 
instructions and reducts, written I ^ R is shown in Figure 2.5. 

Evaluation is extended to one-step reduction for arbitrary terms and constructors though the 
use of constructor-level and term-level evaluation contexts , denoted by U and C respectively. These 
are a restricted form of constructor or term containing a single “hole” o: 


0 

C ::= 

0 

UA 

1 

Ce 

AU 

1 

vC 

7Tl U 

1 

n\C 

7T2 U 

1 

7T'2 C 

(U,A) 

1 

CA 

(AM) 

1 

vU 


1 

let x:t'=C in e : r end 


The notations U[A ], C[A] and C[e] denote the result of replacing the hole in the evaluation context 
with the specified constructor or term. (Since the hole never occurs within the scope of bound 
variables in the evaluation context, there is no possibility of variable capture.) The evaluation 
contexts represent a “stack” or “continuation” for the expression being currently evaluated; the 
specific choice of evaluations contexts enforces the call-by-value nature of the language. 

Then the full one-step reduction relation is defined as follows: 

A ^ A' <=> A = U[I\ and I — R and A! - U[R) 
e ^ e' e — C[I ] and I R and e f — C[R] 
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(A okK'J 3) A 
ffi(Ai ,Ap) 

7r 2 (-4i,^2) ~»- 

(fun/(x:r'):r ,, is e)v 
(A(a::K):T.e) A 
7Tl(ui,U 2 ) 

7T2<Vl,t72> 


let x:t'=v in e : t end 


P/o]B 

Ay 

A“2 

[fun f(x:T'):T" is e/f][v/x]e 
[A/a}e 

Vl 

V2 

[w/,-r]e 


Figure 2.5: Reductions of Instructions 


For example, consider the term 

(^(A(a:\T):Ty(a)^Ty(a).fun f(x:Ty(a)):Ty(a) is x) ((Aa::T.a) Int)^ 3. 

For the remainder of this example I elide the return-type annotations, yielding 

^(A(a::T).fun f(x: Ty(a)) is x) ((Aa::T.o:) Int)^ 3. 

This program evaluates to 3 because 

((A(o::T).fun f(x:Ty(a)) is x) ((Aa::T.a) Int)) 3 
= (((A(a::T).fun f(x:Ty(a)) is a;)o) 3)[((Aa::T.a) Int] 

(((A(ci!::T).fun/(a;:7V( Q! )) is x )°) 3)[Int] 

= (((A(a::T).fun f(x:Ty(a)) is a;) Int) 3) 

= (o3)[(A(a::T).fun f(x:Ty(a)) is x) Int] 

(o3)[fun f(x:Ty(\r\t)) is x] 

= ((fun f(x: Ty( Int)) is x) 3 
= o[(fun f{x:Ty (Int)) is a:) 3] 
o[3] 

= 3 

The proofs of important properties of evaluation, including type soundness (that “well-typed 
programs don’t go wrong”), are delayed until Chapter 8. The soundness proof is completely straight¬ 
forward and standard except for one key point: one must know that constructor and type equiv¬ 
alence are sufficiently consistent. For example, the term-level application 3 (4) makes no sense 
dynamically. However, if int = int—'■int were provable then one could prove the application well- 
typed: 

int = int—dnt 

3 : int - 

int < int-^int 

-:- : - 4 : int 

3 : int—^int 

_____ 


47 



It is not immediately obvious that int = int—Mnt is not provable, perhaps using transitivity and 
introducing and eliminating constructor definitions. The consistency of equivalence will follow 
directly from the correctness of the decision algorithm for equivalence, which immediately rejects 
such all type equations. 
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Chapter 3 


Declarative Properties 


In this chapter I study several basic properties of the MILo calculus. The most important of these 
are validity and functionality. From these I derive the definability of general singleton kinds, the 
admissibility of the rules given in §2.3, and a strengthening property for constructor variables. 

3.1 Preliminaries 

Figure 3.1 defines typing-context-free judgment forms J. Given a context T one can construct a 
MILo judgment Y \~ J. The substitution 7 J is defined by applying the substitution to the kinds, 
constructors, types and terms making up J, while the free variable computation FV(J') is similarly 
defined as the union of the free variables of the phrases comprising J. 

Proposition 3.1.1 (Subderivations) 

1. Every proof of T h J contains a subderivation Y \- ok. 

2. Every proof ofYi,a::K,Y 2 h J contains a strict subderivation Ti h K. 

3. Every proof of Y\,x:t,Y 2 J contains a strict subderivation Y 1 h r. 

Proof: By induction on derivations. I 

Proposition 3.1.2 

IfYYJ then FV(J) C dom(r). 

Proof: By induction on derivations. I 

Proposition 3.1.3 (Reflexivity) 

1. IfY\~ ok then YY'=Y. 

2. IfYYK then YYK = K. 

3. IfYYK then Y \~ K < K. 

4- 7/r h A-.-.K then Y\~A = A::K. 

5. If T h r then Y h r < r. 

6. If T b r then T h r = r. 

7. If T b e : t then T h e = e : r. 
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J ::= ok 

I r, =r 2 

I K 

I Ki < K 2 
I K x =K 2 
j ,4 :: K 
| j4i = A‘2 K 

T 

| Tl < T 2 
I Ti = r 2 
I c : t 
I ei = e 2 : r 

Figure 3 . 1 : Context-Free Judgment Forms 


Proof: By induction on derivations. I 

Definition 3.1.4 

The relation Ti CT2 on contexts is defined to hold if neither F] nor T2 binds types or kinds to the 
sam,e variable twice , and if the contexts viewed as partial functions give the same result for every 
constructor or term ; variable in dom(Fi). 

Thus if T] C T2 then dom(Ti) C dom(r2) and Ti appears as a (not necessarily consecutive) 
subsequence of T2- I will also write T2 2 Tl to mean T 1 CT2. 

Proposition 3.1.5 (Weakening) 

1 . IfTi h J and Fi C F2 and T2 F ok. then T2 F J. 

2 . //Ti, a::iF2, F2 f~ J and Ti K\ < K2 and b K\ then Ti,a::Ki, T2 F J. 

3 . If Ti, a:r2, T2 F J and Ti F r\ < T2 and T] F T\ then Ti, a:r\. T2 F J. 

Later I show that the assumption T] F K\ is already implied by Fi F K\ < K21 and similarly that 
Ti F ti is implied by Ti F ri < T2. 

Definition 3.1.6 (Sizes of Kinds) 

The size of a kind or a type is a strictly positive integer; it is defined inductively on the structure 
of kinds: 

size( T) = 1 

size (S(^ 4 )) = 2 

size(Ua::K'.K") = size(K') + size{K") + 2 
size{Ea::K'.K") = size(K') + size(K") + 2 

The size of a kind depends only on its “shape” and is thus invariant under substitutions. The key 
properties of this measure are that size (S(A)) > size( T) and that the size of a II or £ is strictly 
greater than the sizes of (all substitution instances of) its constituent kinds. 

Proposition 3.1.7 (Antisymmetry of Subkinding) 

r F Ki < K 2 and T F K 2 < K x if and only ifT\~K\ = K 2 . 
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Proof: 

=7 By induction on size{K\) + size(K 2 ), and cases on the possible last steps in the proofs of 
r b Kx < K 2 and T b K 2 < K Y . 

- Case: K\ — K 2 = T. Trivial, since by Proposition 3 . 1.1 we have F b ok. 

- Case: K\ = S(j4i) and K 2 = S(A 2 ). By inversion of T b K\ < K 2 we have 
r b Ai = A 2 :: T, so T b S(A X ) = S(A 2 ). 

- Case: 

T b n or.:K' 2 .K% 

r h k[<k' 2 

Y,a::K[ h K'{ < K'{ 

T h no'::^.^ < Uo^K[^ 

1. By the inductive hypothesis, T \- K[ = K' 2 . 

2. By Proposition 3.1.1, there is a strict subderivation T h K[. 

3. By Proposition 3.1.5, T,a::K[ h K " < K 2 . 

4. By the inductive hypothesis, T, a::K[ b K" = K". 

5. Thus T b Yicr.:K[.K'{ = n a::K' 2 .K!{. 

— The case for S-kinds is analogous. 

4= By induction on the proof of T b K\ = K ->. using Proposition 3.1.5. 

I 

The subtyping relation is similarly antisymmetric, but the proof is more complex in the presence 
of the transitivity rule (Rule 2.61). I return to this point in §7.3. 

Proposition 3.1.8 (Symmetry and Transitivity of Kind Equivalence) 

1. If T b Ki = K 2 then T b K 2 = K x 

2. If T b K x = K 2 and YY-K 2 = K Z then T \- K\ = K z . 

Proof: By induction on derivations. I 

Proposition 3.1.9 (Transitivity of Subkinding) 

IfY b K x < K 2 and T b K 2 < K z then T b K x < K z . 

Proof: By induction on derivations. I 

Definition 3.1.10 

The judgment A b 7 : T holds if and only if the following conditions all hold: 

1. Ah ok 

2. Va € dom(r). A b 7 (r(a)) 

3. Vet € dom(r). A b 70 ::: 7 (r(a)) 

4 . Vx G dom(r). A b 7 (r(x)) 

5. 'ix G dom(r). A b 72 :: 7 (r(a:)) 


T b K' 2 < K[ 
r,a::^bKf<^ 

T b Ua::K[.K” < Y[a::K' 2 .K'f 


and 
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Proposition 3.1.11 (Substitution) 

1. If r h J and A b 7 : T then A I- 7 {J). 

2. IfF u a::K, T 2 h ok and r, h A :: K then T u [A/a]T 2 h ok. 

3. If T\,x:t,T 2 ok and Ti h v : r then Fi, [v/x\T 2 b ok. 

4. IfT u a::K,T 2 b J and Tj h A :: X then T,, [y 4 /o]r 2 b [vl/a]J. 

5. IfT\,x\T,T 2 b JF and Fj h v : r then Tj, [?;/.t]F 2 b [v/x]J. 

Proof: 

1. By induction on the proof of T h J. 

2-5. By simultaneous induction on the context in the first, assumption and by part 1. 

I 

3.2 Validity and Functionality 

I next show two important features of the calculus. Validity is the property that any phrase 
appearing within a judgment is well-formed (e.g., if T h A\ = Ao :: K then T b ok and T h K 
and F h A\ :: K and T h A 2 :: K). Functionality states that applying equivalent substitutions to 
related phrases yields related phrases. 

The rules have been structured to assume validity for premises and guarantee and preserve 
validity for conclusions. A simple proof, however, is hindered by the presence of dependencies in 
types and kinds. The direct approach by induction on derivations fails because of cases such as 
Rule 2.39: 

T\-A x =A 2 :: E a::K ! .K” 

T h 7T2A1 = 7T2A2 :: [ 7 TiA x /a}K" 

Here we need T h 7 T 2 A 2 :: [n x Ai/a]K ff but from the inductive hypothesis we get only T h n 2 A 2 :: 

[7Ti A 2 /a]K n . The desired result would follow, however, if we knew that T h [7TiA 2 /(y]K n < \k\ A \/a\K ft . 
Since V b 'K\A 2 = n\A\ :: K 1 , the subkinding judgment required follows from functionality. 

This suggests one should first prove functionality. The most general form of functionality also 
cannot be easily proved directly, but the proof does go through for the restricted case of equivalent 
substitutions being applied to a single phrase. This suffices to show validity, and together these 
allow a simple proof of general functionality. 

Definition 3.2.1 

The judgment A h 71 = 72 : T holds if and only if the following conditions all hold: 

1. A b 71 : r and A b 72 : T 

2 . Vo G dom(T). A b 71 (r(or» = 7 2 (r(a)) 

S. Va G dom(T). A b 71a = 720 :: 7i(r(a)) 

4. Mx G dom(r). A b 7i(P(x)) = 7 2 (r(ar)) 

5. Vx G dom(r). A b 71X = y 2 x : 7i(r(ar)) 
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Lemma 3.2.2 (Substitution Extension) 

1 . If A b 71 = 72 : T, a £ dom(A), A b 71 K, A b 72if, and A b 71JRT = 72^, t/ien 
A, av.^iK b 7i[ai->-Q!] = 7 2 [aH^a] : (r,a::K) and 

A, a::7 2 X b 7i[ai->a] = 7 2 [ai- 4 a] : (I^ax.K’). 

2 . If A b 71 = 72 : T, x dom(A), and A b 71 r, A b 72T, and A b 71 r = 72T t/ien 
A,x:7ir b 71 [aHa] = 72 [o!^Q!] : (r,ar:r) and A,x:j2T b 71 [ori —>ck] = 7 2 [o;f->a] : (r,a;:r). 

Proof: By the definition A b 71 = 72 : T, Proposition 3 . 1 . 5 , and the subsumption rules. I 

Proposition 3.2.3 (Simple Functionality) 

1 . If P b K and A b 71 = 72 : T then A b 71 K = 72 K. 

2 . If T b A :: K and A b 71 = 72 : T then A b 71 A = 72 A :: 71 K. 

3 . J/Fbr and A b 7! = 72 : T then A b 71 r = 7 2 t. 

4 - IfTheir and A b 71 = 72 : T then A b 7ie = 7 2 e : 71 r. 

Proof: [By induction on the proof of the first premise] 

1. • Case: Rule 2.7 

rbok 
rb t 

Since A b ok we have A b T = T. 

• Case: Rule 2.8 

rbi::T 

rbS(A) 

(a) By the inductive hypothesis, A b 7] A = 72A :: T. 

(b) By Rule 2.17 then, A b S( 7 iA) = S( 72 A). 

• Case: Rule 2.9 

T, a::K' b K" 

T b TLac.\K'.K" 

(a) Without loss of generality, a £ dom(A). 

(b) By Proposition 3 . 1 . 1 , there are strict subderivations T,a::K' b ok and 1 b K'. 

(c) By inversion and Proposition 3 . 1 . 2 , a £ FV(K'). 

(d) By the inductive hypothesis, A b 71 K' = 7 2 iC 

(e) and by Proposition 3 . 1 . 11 , A b 71 K' and A b 72-fC. 

(f) Using Lemma 3 . 2 . 2 , we have A,q:::7i K' b 7x[a>- 4 a] = 72[ai->-a!] : (T,a::K'). 

(g) By the inductive hypothesis then, we have 
A,a::7i K' b (71 [ort—^o:])^" = (7 2 [q;i -+a])K" 

(h) By substitution, A b 71 (II a::K'.K") 

(i) Therefore A b 71 (n a::K'.K") = 72 (n ar.K'.K"). 

• Case: Rule 2.10 

T,ct::K'\-K" 

T b Ea::K'.K" 

Analogous to the previous case. 
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2. • Case: Rule 2.20 


rhok 


rhii::T 

Then A b b = b :: T because A b ok. 

• Case: Rule 2.21 

T bok 

T b x :: T—>T—>T 


Then A b x = x :: T-^T-^T because A b ok. 

• Case: Rule 2.22 

T b ok 

T b ^ :: T—>T—>T 


Then A b —> = — > :: T—>T—>T because A b ok. 
• Case: Rule 2.23 

Tbok 


T b :: T{a) 

Follows directly from the requirements for 71 and 72. 

• Case: Rule 2.24 

T ,n::K' b A :: K" 

f b Aa-RT'.A :: n«::iC.JC' 

(a) Without loss of generality, o ^ dom(A). 

(b) As in the case for Rule 2 . 9 , we have A b 71 K' = 72 K' 

(c) and A ,<r.:'y\K' b 7i[«i-*n:] = 72 [o'i- 70 '] : T, a::K'. 

(d) Thus by the inductive hypothesis, 

A,a::'Y\K' b (7i[o'i-^0'])A = (72[o' | -tO'])A :: (71 [01— 

(e) By Rule 2.36 we have A b 7l (A ar.K'.A) = 72(A nr.K'.A) :: 71 (II av.K'.K"). 

• Case: Rule 2.25 

r b A :: K'^K" T b A' :: K' 
fbAA' :: K" 


(a) By the inductive hypothesis, A b 7 = 72A :: (7] K") 

(b) and A b 7l A' = y 2 A ':: 71 K'. 

(c) Thus by Rule 2 . 37 , A b 7 j (A A') = 7 2 (A A') :: 71 K". 

• Case: Rule 2.26 

r b A' :: K' T b A" :: K" 
r b (A', A") :: WxK 7 ' 

(a) By the inductive hypothesis, A b 71 A' = 72 A':: 71 K' 

(b) and A b 7l A" = y 2 A" :: 71 K". 

(c) Thus A b ( 7l A',7iA") = (72A', j 2 A") :: 'y l K'x ll K" by Rule 2 . 40 . 

• Case: Rule 2.27 

T b A :: E av.K'.K" 
rb 7 ri A:: ~K' 


(a) By the inductive hypothesis, A b 71A = 72A :: 71 (T,o::K'.K”). 
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(b) By Rule 2 . 38 , A b 7i(7riA) = 72(7riA) :: 71 if'. 

• Case: Rule 2.28 

r b A :: £a::if'.if" 

T b tt 2 A :: [: K\A/a]K " 

(a) By the inductive hypothesis, A b 71A = 72A :: 71 (Y,a::K'.K"). 

(b) By Rule 2 . 39 , A b 7T2(7 iA) = ^2(72^!) :: [vri( 7 i^ 4 )/a](71 [ai->o:])if". 

(c) That is, A b ^2(712!) = tt 2 (j 2 A) :: 7i([tti A/a]K"). 

• Case: Rule 2.29 

rhi::T 
r b A :: S(A) 

(a) By the inductive hypothesis, A b 71A = 72 .4 :: T. 

(b) By substitution, A b 71A :: T. 

(c) Thus A b 7l A :: S( 7 i A), 

(d) but A b S( 7l A) < S(7 2 bl) 

(e) so A b 71^4 :: S(72A). 

(f) By Rule 2 . 44 , A b 7 \A = 72A :: S(72A) 

(g) and by subsumption and symmetry, A b 72 A = 71A :: T. 

(h) Thus A KSfoA) < S( 7 iA) 

(i) and so A b 71 .A = 72 A :: S(7iA). 

• Case: Rule 2.30 

T b 7 TiA :: if' T b tt 2 A :: if" 

T b A :: if'xif" 


(a) By the inductive hypothesis, A b 7ri(7i A) = 717 (72 A) :: 71if' 

(b) and A b 772(71 A) = 772(72 A) " 7iif ,/ - 

(c) By Rule 2 . 41 , A b 71A = 72 A :: (7iif')x( 7l if"). 

• Case: Rule 2.31 

r,a::K' h Aa :: K" 
r b A :: n ay.L'.L" T b if' ' = L' 

T b A :: IIa::if'.if" 

(a) Without loss of generality, a g dom(A) and a g FV (.4). 

(b) As in the case for Rule 2 . 9 , A b 71 if' = 72if' 

(c) and A,a::7iif' b 71 [ai -^-a] = 72(0: 1—^-0:] : T, a::K'. 

(d) Thus by the inductive hypothesis, 

A,a::7iif' b (7i[ai-^Q:])(AQ!) = (72[at->a])( 4 a) :: (71 [cri—Xo:])if 

(e) That is, A,a::7iif' b (71 A)o: = (72^)0 :: 7i[o;i-^Q:]if". 

(f) By Proposition 3 . 1 . 11 , we have A b 71A :: 7i(Ila::T'.L") and 
A b 72 A :: 7 2 (na::L'.L"). 

(g) Similarly we have A b 71 if' = 71 L' and A b 72 if' = 72 T'- 

(h) so by Proposition 3 . 1 . 8 , we have A b 71 if' = 72T'. 

(i) Therefore by Rule 2 . 42 , A b 71A = 72A :: 7i(na::if'.if"). 
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3. 


4. 


• Case: Rule 2.32 

T h A :: K x r R Ki < K 2 
I ' h ,4 :: K > 

(a) By the inductive hypothesis. A h 71 A = 72 A :: 71 K\. 

(b) By Proposition 3.1.11, A h i\K\ < ^\K 2 . 

(c) By Rule 2.43, A h 71 A = 72 A :: ^\K 2 . 


• Case: Rule 2.45 

T\-A::T 
T h Ty{A) 

(a) By the inductive hypothesis, A h 71 v 4 = y 2 A :: T. 

(b) Thus A h Ty{yA) = Ty(y 2 A). 

• Rule 2.46 

r h v : t t not a singleton 
r h S(v : r) 


(a) By the inductive hypothesis, A h 7 ] v = y>v : 71 r 

(b) and A I- 71 r = 72 t. 

(c) Since neither 71 r nor 72 r can be a singleton (because r isn’t), we have 
A h S(7j?; : 7it) = S(7 2 w : 72 r). 

• Case: Rule 2.47 

T , x:t' I - t" 

T h 

Same argument as for Rule 2.9. 

• Case: Rule 2.48 

T , x:t' h t" 

T h (x:t')xt" 


Same argument as for Rule 2 . 10 . 
• Case: Rule 2.49 


P, a::K h r 
r h VouKr 


Similar argument to that for Rule 2.9. 

• Case: Rules 2.67-2.78. Essentially the same proofs as for the corresponding 
constructor forms. 


Proposition 3.2.4 (Validity) 

1. IfT\~K\ < K 2 then T h K x and T h K 2 . 

2. If T h K x = K 2 then T h and T h K 2 . 

3. IfT\~A::K thenTh K. 

4 . 7/r'h Ai = A 2 :: K then T A\ :: K, T \- A 2 :: K, and r h K. 

5. If r h T\ < t 2 then T h t\ and T h T2. 
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6. IJT\~ti = T 2 then T b n and T h T 2 . 

7. 7/rhe:r MenTFr. 

5. 1/ T b ei = e 2 : r then V \- e\ : t,Y \- '• t, and T h- r. 

Proof: There are only two interesting cases. 

• Case: Rule 2.39. 

F\-A 1 = A 2 :: E a::K'.K" 

T h n 2 Ai = 7T2^2 - [7riAi/a]TT" 

1. By the inductive hypothesis, T I- A\ :: E a::K'.K", 

2. T b A 2 :: S ar.K'.K", 

3. and T h S av.K'.K". 

4. By inversion, r, a::#' h 7C". 

5. Then T b :: [niAi/a\K" by Rule 2.28. 

6. By Proposition 3.1.11, we have T b [it] A] /a]K". 

7. Since T b 717 A .2 :: K' and T b 7TiAi :: K' and T b 7TiA.2 = ^\A\ :: K', 

8. we have T b [: K\A 2 /a\ = [niAi/a] : T, a::K'. 

9. By Propositions 3.2.3 and 3.1.7 we have T b [-K\A 2 /oi\K" < [niAi/a]K". 

10. Thus by subsumption and T b tt 2 A 2 :: [ir\A 2 /a\K" 

11. we have T b ^ 2^2 :: ['K\Ai/a]K" . 

• Case: Rule 2.86. The proof is analogous. 

I 


Corollary 3.2.5 (Full Functionality) 

1 . IfT\~Ai = A 2 :: K and A b 71 = 72 : T then A b 71A4 = 72^2 " 71 K. 

2 . If r b K\ = K 2 and A b 71 = 72 : T then A b 7i7Ci = ^2^2- 

3 . IfTYKi < K 2 and A b 71 = 72 : T then A b -yiKi < 727^2- 
4 ■ IfT b Ti = t 2 and A b 71 = 72 : T then A b 71 t\ = 72T2. 

5 . If T b n < t 2 and A b 7! = 72 : T then A b 71 77 < 72T2. 

6 . If T b e\ = e2 : r and A b 71 = 72 : T t/ien A b 71 ei = 7262 : 7ir. 

Proof: 

1. Assume Y\- A\= A 2 :: K and A b 71 = 72 : T. By substitution, A b 71 A\ = 71 A 2 :: 71 if. 
By validity (Proposition 3.2.4) we have T \~ A 2 :: K , and so by Proposition 3.2.3, 

A b 71 A 2 = 72 A 2 :: 71 K. By transitivity, A b 7 jAi = 72 A 2 :: 71 K. 

2-6. The remaining cases are similar. 
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Lemma 3.2.6 

1 . 7/T', a::K, T" b ok andV b Ai = A 2 :: K then P, [Ax/a]Y" b [Ai/o] = [A 2 /a] : (P,o::7r,r") 
and r', [A 2 /a]T" h [Ax/a] = [A 2 /a ] : {T',a::K,T"). 

2. If V ,x:t,T" b ok and T' b tq = v 2 : t then V', \v\/x\r" b [vi/.r] = [A 2 /«] : (r', ,r:r, T") and 
r, [« 2 /ar]r w I- [ui/®] = [v 2 /x\ : (T', ®:r,P'). 

Proof: By induction on the proof of typing context well-formedness and Proposition 3.2.3. I 

Corollary 3.2.7 

1 . IfT',a::L,T" h K x = K 2 and T' b B x = £ 2 :: 7, then P, [Bx/a]T" b = [7? 2 /o]7f 2 . 

5. J/r',a::L,r" b Ki < K 2 and T' b B x = B 2 :: L then P, [Bj/«]r" b [Bi/ojTfi < [B 2 /«]tf 2 . 

3. IfT',a::L, T" b n = r 2 and P b Bj = B 2 :: L then P, [Bi/a]r" b [5,/aJn = [B 2 /a]r 2 . 

7/ P, a::L, T" b n < r 2 and P h B, = B 2 :: L then P, [B^ojP b [B,/«]n < [B 2 /«]t 2 . 

5. 7/P,a::L,r" h m = n 2 : r and P h B, = B 2 :: L then P,[Bi/rt]P' b [£]/rc]wi = [B 2 /«]t> 2 : 
[Bi/a]r. 

6 . If r',y:cr, T" b t\ =t 2 and T' b W\ = w 2 : a then P, [w\/y]Y" b [wi/y]rx = {w 2 /y]r 2 . 

7. If T' ,y:a,T" I ~ t\ <t 2 and, P b w\ = w 2 : a then P, [wi/y\T" b [w\/y]Ti < [w 2 /y]r 2 . 

8. If T', ?/:cr, T" b W] = v 2 : t and P h W\ = w 2 : a then P, [wx/y]T" b [w\/y]v\ = [w 2 /y]v 2 : 

[wi/y]T. 

The proof of Proposition 3.2.3 depends heavily on the exact formulation of the rules defining 
MIL (I . In particular, although dependent kinds and types force the rules to be asymmetric, they 
are all “asymmetric in the same way”. For example, if Rule 2.39 were written instead as 

r b Ax = A 2 :: Zar.K'.K" 

T b -k 2 A\ = ir 2 A 2 :: [tt\A 2 /a]K" 

(where the substitution involves tt\ A 2 instead of ti\A\ ) then the above case for Rule 2.39 would not 
go through. A more robust but more technically involved method would be to prove validity and 
general functionality simultaneously. This requires a logical relations argument because inductively 
one needs to know, for example, that not only are n and E kinds functional in their free variables, 
but also that their codomains are functional with respect to the domain variable. Stone and 
Harper [SH99] use this method for proving validity and functionality for the kind and constructors 
levels. 

Alternatively, functionality could be built into the system. Harper and Pfenning [HP99] take 
the approach of making functionality into an axiom. However, it appears that the same proof 
method used here would show their axiom admissible [HarOO]. Martin-Lof goes further and makes 
functionality the defining property of what it means to be a valid judgment-in-context [ML84]. 

Corollary 3.2.8 (Weakening 2) 

1. IfTi,a::K 2 ,T 2 b J andYx b K x < K 2 then rx,a::K u T 2 b J. 

2. If Tx,x:T 2 ,r 2 b J and Ti b ri < r 2 then ri,x:ri,r 2 b J. 

3. IfV b J and h V = T' then V b J. 


58 



3.3 Proofs of Admissibility 

I now have enough technical machinery to prove the admissibility of Rules 2.92-2.124. 

Proposition 3.3.1 

Rules 2.119 and 2.122 are admissible. 

Proof: I show the proof for Rule 2.119 only; the other proof is analogous. 

1 . Assume T b A\ = A 2 :: T. 

2. By validity F b A x :: T, 

3. so F b Ai :: S(A X ) by Rule 2.29. 

4. But r b S(A X ) < S(A 2 ), 

5. so by subsumption we have F b A\ :: S(A 2 ). 

■ 


Lemma 3.3.2 

7 (S {A :: K)) = S (jA :: 7 iF). 

Proof: By induction on the size of K, and by cases on the form of K. I 

Proposition 3.3.3 

1. Rule 2.96 is admissible. That is, ifF b A\ = A 2 :: K then T b Ai = A 2 :: S(A 2 :: K). 

2. Rules 2.92 and 2.93 are admissible. 

That is, ifV\~ A:\ K then T b S(A :: K) and T FA :: S(A :: K). 

3. Rule 2.97 is admissible. 

That is, ifTFAi :: S(A 2 :: K) and T I- A 2 :: K then T b A\ = A 2 :: S(A 2 :: K). 

4- Rule 2.94 is admissible. That is, ifTFAv.K then F b S(A :: K) < K. 

5. Rules 2.98 and 2.99 are admissible. 

That is, ifFFA:: Flar.K'.K" and F b A' :: K' then F b A A' :: [A'/a]K". Similarly, if 
F b Ai = A 2 :: Flav.K'.K" and F b A[ = A ' 2 :: K' then F b A x A[ = A 2 A ' 2 :: [A[/a]K". 

6 . Rule 2.102 is admissible. 

That is, if T b S av.K'.K", F b ^A x = v x A 2 :: K', and F b tt 2 Ai = 7r 2 A 2 :: [■K 1 A 1 /a]K'' 
then T b A 1 = A 2 :: S ar.K'.K". 

7. Rule 2.95 is admissible. 

That is, ifF b A x = A 2 :: K x and F b K x < K 2 then F b S {A x :: K x ) < S(A 2 :: K 2 ). 

Proof: By simultaneous induction on the size of kinds. (The size of K for parts 1-4, the size of 
K' for part 5 and part 6, and the size of K x for part 7.) 

1. • Case K = T and S {A 2 :: K) = S(A 2 ). 

(a) r b Ai :: S(A 2 ) by Rule 2.119. 

(b) Then F b A x = A 2 :: S(A 2 ) by Rule 2.44 
. Case K = S (B) and S(A 2 :: K) = S(A 2 ). 

(a) T b B :: T by validity and inversion, so F b S (B) < T. 
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(b) Then T b A\ = A 2 :: T by subsumption, 

(c) and T b Ai ::S(A 2 ). 

(d) Thus T b Ai = A 2 :: S(A 2 ) by Rule 2.44. 

• Case K = II av.K'.K" and S(A 2 :: K) = Uav.K'.S{A 2 a :: K"). 

(a) Inductively by part 5, T, a::K' \- A\ a = A 2 a v. K" . 

(b) By the inductive hypothesis, T, av.K' b A\ a = A 2 a :: S(A 2 n: :: K"). 

(c) By validity (Proposition 3.2.4) we have r b A\ :: Uav.K'.K" and 
rV A 2 :: n ar.K'.K". 

(d) Therefore by Rule 2.42, T b = A 2 :: Uav.K'.S{A 2 a v. K"). 

• K = E av.K'.K" and S(i4 2 :: K) = (S(7r]bl 2 :: K')) x(S(7r 2 y4 2 :: [7 TiA 2 /n\K")). 

(a) Then T h 7 Tij4i = 7 t\A 2 :: K' 

(b) and T h 7 t 2 j4i = tt 2 A 2 :: [k\A\ /a\K". 

(c) By functionality and subsumption, Y h 7 t 2 t4] = n 2 A 2 :: [7ri A 2 /a]K". 

(d) By the inductive hypothesis, T b ir\A\ = n\A 2 :: S(7TjA 2 :: K') 

(e) and T b n 2 A\ = n 2 A 2 :: S(7r 2 .4 2 :: [k\A 2 /a]K"). (Note that 
size([K\ A 2 loi\K") = size(K") < size(K).) 

(f) Therefore by Rule 2.41 we have 

r b Ai = A 2 :: (S(7rii4 2 :: K'))x(S(n 2 A 2 :: [tt l A 2 /a)K")). 

2. (a) Assume Y b A :: K. 

(b) By Rule 2.33, Y b A = A :: K. 

(c) By the previous part, T b A = A :: S(A :: K). 

(d) By validity, Y b S(A :: K) and Y h A :: S(A :: K). 

3. • Case K = T and S(A 2 :: K) = S(A 2 ). By Rule 2.44, Y b A } = A 2 :: S(A 2 ). 

• Case K - S (B) and S(A 2 :: K) = S(A 2 ). By Rule 2.44, Y \~ A\ = A 2 w S(A 2 ). 

• Case K = n av.K'.K" and S(A 2 :: K) = Tlcr.-.K'.S(A 2 a :: K"). 

(a) Inductively by part 5 we have T, a::K' b A\ a :: S(.4 2 a :: K"). 

(b) and Y,a::K' b A 2 a:: K". 

(c) By the inductive hypothesis, T, a::K' b A\ a = A 2 o :: S(A 2 a :: K"). 

(d) Therefore by Rule 2.42 we have T b A\ = A 2 :: HoulC.S(A 2 o; :: K"). 

• K = E a::K'.K 2 and S(A 2 :: K) = (S(tti>4 2 :: K'))x(S(tt 2 A 2 :: [7 TiA 2 /a]K")). 

(a) Then Y b -n\A\ :: S(tt 1 A 2 :: K') and 

(b) T b -k 2 A\ :: S(t t 2 A 2 :: [niAi/a]K"). 

(c) T b 7Ti A 2 :: K 1 and Y b tx 2 A 2 :: [■K 1 A 2 /a]K', 

(d) so by the inductive hypothesis, r b 7T] A\ = it\A 2 :: S(7TiA 2 :: K') and 

(e) T b 7 t 2 j4] = 7 r 2 A 2 :: S(7r 2 A 2 :: [k\A\/ a\K"). 

(f) By Rule 2.41 we have r b A, = A 2 :: (S(ttiA 2 :: K'))x(S(n 2 A 2 :: [ttj A 2 /a]K")). 

4. • Case K = T and S(A :: K) = S(A). By Rule 2.11 we have Y b S(A :: T) < T. 

• Case K = S (B) and S {A :: K) = S{A). 

(a) Then r b A = B :: T so 

(b) r b S(A) < S(B). 
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• Case K = Uay.Ki.K 2 and S {A :: K) = Ua::Ki.S(Aa :: K 2 ). 

(a) Then Y \- K x and T, a::Ki I- A a :: K 2 . 

(b) By the inductive hypothesis, T, a::K\ h S(Aa:: K 2 ) < K 2 . 

(c) Therefore, Y h na::ATi.S(Aa :: K 2 ) < Uay.K x .K 2 . 

• Case K = E ay.K'.K" and S(A :: K) = (S(ttiA :: K'))x(S{n 2 A :: [tti A/a]K")). 

(a) Then Y h ttj A :: K' 

(b) so by the inductive hypothesis, T b S(-7riA :: K') < K'. 

(c) Furthermore, T b ir 2 A :: [iriA/a]K", 

(d) By the inductive hypothesis, T h S^A :: [niA/a\K") < {'KyA/a]K". 

(e) Also, by Proposition 3.1.1 and weakening, r,a::S(7riA :: K') I- K" < K". 

(f) By part 3 we have Y, ayS^A :: K') b a = tti A :: S(tti A :: K') 

(g) so by functionality we have T, a::S(7riA :: K') h [tti A/a]K" < K". 

(h) Therefore, Y b (S(ttiA :: :: [tti A/a}K")) < E. ay.K'.K 

5. (a) Assume Y h A :: n ay.K'.K" and Phi':: K'. 

(b) Then by part 4, Y b S(A' :: K') < K'. 

(c) By validity and reflexivity we have Y,a::K' h K" < K". 

(d) By weakening, T, a::S(A' :: K') h K" < K". 

(e) Since by part 3 we have T, a::S(A' :: K') h a = A' :: S(A' :: K'), 

(f) by functionality it follows that T, Q'::S(A / :: K') b K" < [A 1 /a}K". 

(g) Thus T b Uay.K'.K" < S (A' :: K’)-+([A'/a]K"). 

(h) By subsumption Phi:: S(A' :: K')—>([A'/a]K"), 

(i) so by Rule 2.25 we have T h A A' :: [A'/a]K". 

The proof for Rule 2.99 is exactly analogous. 

6 . (a) Assume T h E ay.K'.K", T b it\A\ = 7 TiA2 :: AT', and T b -n 2 Ai = ^ 2^2 :: [7riAi/a]AT". 

(b) Then by symmetry and part 1, Y b 7 TiAi = 7 riA2 :: S(7 TiAi :: K'), 

(c) so T b A :: S(tt 1 A 1 :: AT^x^/ajAr". 

(d) Now T b S(ttiAi :: K') < K'. 

(e) Since T, a::K' b K" by inversion, 

(f) by weakening and reflexivity we have r, a::S(7Ti Aj :: K') b K" < K". 

(g) By functionality, T,o;::S(7riAi :: K') b [ 1 KiA\/a]K" < K". 

(h) Thus r b S(ttiAi :: AT')x[7TiAi/ a\K" < E ay.K'.K". 

(i) By subsumption, Y \~ Ay = A 2 Yiay.K'.K". 

7. • Case Ky = T or S(Aj) and K 2 = T or S(A 2 ). 

(a) S (A x y. Kx) = S(Ax), 

■(b) S(A 2 :: K 2 ) = S(A 2 ), 

(c) and the desired conclusion follows by Rule 2.12. 

• Case Ky = Uay.K[.K'{ and K 2 = Uay.K' 2 .K%. 

(a) S (Ai :: Ki) = UayK'^Ai a :: AT"). 
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(b) By inversion T b K 2 < K[ and T, a::K 2 b K'{ < 

(c) Now T, q\:K' 2 I- Aj a = A 2 a :: K". 

(d) By the inductive hypothesis, T, a::K 2 b S(A] a :: K") < S(A 2 cv :: K 2 ). 

(e) The conclusion follows by Rule 2.14. 

• Case Ki = S n:-.K[.K'{ and K 2 = Ha::K 2 .K 2 . 

(a) S(j4j :: K x ) = S«::S(7ri Aj :: K[).S(tt 2 A 1 :: [ttj A x /a]K'{) 

(b) and S(A 2 :: K 2 ) = E«::S(7r 1 i4 2 :: i^).S(7r 2 A 2 :: [n x A 2 /a]K.f). 

(c) Now T b n\A\ = ttiA 2 :: K[ 

(d) and T b 7r 2 yli = 7 t 2 A 2 :: [7Ti^4i/o']JC". 

(e) By the inductive hypothesis, T b S(7T|>1] :: K[) < S(7Ti v4 2 :: K 2 ). 

(f) Since T b [tti Ai/ojAT" < {'K X A 2 loi\K 2 , 

(g) the inductive hypothesis applies, yielding 

F b S(7 t 2 j4i :: [7Tjylj/cvJ/Cj') < S(tt 2 ^4 2 :: [n x A 2 /n]K 2 ). (Hero it is important that 
the induction is on the size of K x and not by induction on the proof T b K x < k 2 .) 

(h) The desired result follows by weakening and Rule 2.15. 

I 


Proposition 3.3.4 

The remaining rules from, § 2.3 are. all admissible 


Proof: By cases. 


• Case: Rule 2.100. 


T b Har.K'.K" 

r b A! :: K' T b A" :: [A'/a]K" 
r b (.4', A") :: T,n::K'.K” 


1. Assume T b £ ar.K'.K", T b A' :: K', and T b A" :: [A'/a]K". 

2 . Then T b A' :: S (A' :: K% 

3. so r b (A\A") :: S(A' :: K')x[A'/a]K". 

4. Now T b S(A' :: K') < K'. 

5. Since T,a::K' b K" by inversion, 

6 . by weakening and reflexivity we have b. a::S(A' :: K') b K" < K". 

7. By functionality, T, auS^' :: K') b [A'/a]K" < K". 

8 . Thus T b S(A' :: K')x[A'/a}K" < Zav.K'.K". 

9. By subsumption, T b {A 1 , A") :: £ ar.K'.K". 


• Case: Rule 2.101. Analogous to the proof for Rule 2.100. 

• Case: Rules 2.103 and 2.104. Analogous to the proof for Rule 2.98. 

• Case: Rules 2.105 and 2.106. Analogous to the proof for Rule 2.100. 

• Case: Rule 2.107 

F,a::K' b A :: K" Tb A':: K' 

T b (A av.K'.A) A' = [A'/ a]A :: [A'/a]K" 
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1 . Assume T, a::K 2 h A :: K and T h A 2 :: .A 2 . 

2. Then r,a::A 2 hi:: S(A :: K), 

3. so T h A a::K 2 .A :: na::AT 2 .S(A :: AT). 

4. By Rule 2.98 we have T h (Aaui^.A) A 2 :: S([A 2 /a]A :: [A 2 /a]AT). 

5. By substitution, T h [A 2 /a\A :: [A 2 /a]AT. 

6 . Thus T h (A a::K 2 .A) A 2 = [A 2 /a]A :: [A 2 /a\K by Rule 2.97. 

• Case: Rule 2.108 

T h Ai :: K x T A 2 :: K 2 
T\-n(Ai,A 2 ) = A 1 :: K x 

1 . Assume T h A\ :: K\ and T h A 2 :: K 2 . 

2. Then Th Ai :: S(Ai :: ATi), 

3. sorb(Ai,A 2 ) :: S(Ai :: K^xK^ 

4. Thus T b tti(Ai, A 2 ) :: S(Ai :: K x ) 

5. and T h 7 Ti(Ai, A 2 ) = A\ :: K\. 

• Case: Rules 2.109-2.111. Analogous proof to Rule 2.108. 

• Case: Rule 2.112. By Rule 2.107 and functionality. 

• Case: Rules 2.113-2.116. By Rules 2.108-2.111 and subsumption. 

• Case: Rules 2.117-2.118. By the /3-rules and extensionality. 

• Case: Rules 2.120-2.121. By validity and subsumption. 

• Case: Rules 2.123-2.124. By validity and subsumption. 


3.4 Kind Strengthening 

One can drop those constructor variables in the context which are not referred to (directly or 
indirectly) in a judgment. This follows from the fact that every kind classifies some constructor: 

Proposition 3.4.1 (Inhabitation of Kinds) 

7/T b K then there exists a constructor A such that V b A :: K. 

Proof: By induction on the size of if, and cases on the form of K. 

• Case: K — T. Pick A = Int. 

• Case: K - S{A). Then Phi:: 8 (A). 

• Case: K = IIThen Y,a::K f b K ft by inversion, so by the inductive hypothesis 
there exists A n such that T, a::K f b A n :: if". Choose A — Xar.K'.A". 

• Case: if = Sa::if'.if". Then T b K* and T, a::K' b if" by inversion. By the inductive 
hypothesis we may choose T b A' :: if'. By substitution, V b [T'/o]if", so inductively we 
may choose T b A n :: [A f /a] if". (It is important here that induction proceeds by the size of 
the kind, and that size is invariant under substitutions.) By the admissible Rule 2.100, 

T b {A f ,A n ) :: Sa::if'.if". 
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Corollary 3.4.2 (Kind Strengthening) 

If T u fiv.L, r 2 hJ and /3 # FV(T 2 ) U FV(J) then Tj, r 2 b J. 

Proof: 


■ 


1. There exists a strict sub derivation T\,p::L. r 2 b ok. which itself contains a subderivation 
Ti b L. 

2. By Proposition 3.4.1 there exists T] b B :: T. 

3. By Proposition 3.1.11 we have T\.[B/ft]T 2 b [B/p\J 

4. But since ft is not free in lb or J. this judgment is exactly Tj, r 2 b J. 

I 

This proof strategy is not applicable for dropping unused term variables in the context; in 
general one does not expect every type to be inhabited by values. Therefore the corresponding 
proof of strengthening for term variables is delayed until §7.4. 
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Chapter 4 

Algorithms for Kind and Constructor 
Judgments 

r 

4.1 Introduction 

In this chapter I present algorithms for checking instances of the kind and constructor-level judg¬ 
ments. For each such algorithm, proving correctness requires showing that three properties hold. 

• Soundness: if the algorithm verifies the judgment then the corresponding MILo judgment is 
provable. 

• Completeness: if a MILo judgment is provable then the algorithm will verify the judgment. 

• Termination: the algorithm always either verifies or rejects a judgment. (That is, the 

judgment is decidable.) 

In this chapter I show soundness for all of the algorithms, but most completeness and termina¬ 
tion results are postponed until the next chapter. 

4.2 Principal Kinds 

Checking the validity of type constructors is simplified by the existence of principal kinds. A 
principal kind of a constructor (with respect to a given typing context) is a most-specific kind of 


r>biits(bi) 
r t> a S(a :: r(a)) 
r> x ft S(x :: T-*T-»T) 
r> -4 ft S(—»>:: T->T->T) 
T > \a::K'.A ft Ua::K'.K" 
T>AA'if[A'/a]K" 
rt>(A',A")i[K'xK" 
r > ttiA ft K' 
r > 7T2^4 ft [niA/a]K" 


\iT,a:K’>Ai[K" 

if r > A ft n ol::K'.K" 

if r > A! ft K' and T t> A" ft K" 

if T > A ft Xoc.-.K'.K" 

if T > A ft Va-.-.K'.K" 


Figure 4.1: Algorithm for Principal Kind Synthesis 
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that constructor. Formally, K is principal for A in F if and only if T F A :: K and whenever 
T F A :: L we have V F K < L. When they exist, principal kinds are unique up to provable 
equivalence. 

I show that every well-kinded constructor has a principal kind by giving a correct algorithm for 
explicitly calculating it; see Figure 4.1. This algorithm, like all of the algorithms I will present, is 
organized as a collection of “algorithmic” inference rules. The rules have been carefully designed 
so that a derivation T o A ft K corresponds exactly to a run of the principal kind computation 
algorithm which takes T and A as inputs and produces the principal kind K as the result. To this 
end, the inference rules are deterministic: given F and A , there is at most one kind K such that 
r>A$K. Furthermore, there is at most one rule which could possibly be used to produce such 
a K — there is exactly one inference rule for each syntactic form that A might have. Thus given 
T and A : a “proof search” for K such that T > A ft K corresponds to a direct calculation of the 
principal kind. 

For example, in the empty typing context the principal kind of j3) is computed 

as follows: 


>A«::T.A/?::T.(a, 0) ft IIa::T.n/3::T.S(o) xS(/9) 

because a::T > A/?::T.(o, p) ft Ilfl::T.S{a) x S{p) 
because «::T, /3::T > (a, ft) ftS(a:)xS (ft) 

because o::T, /3::T t> a ft S(cv) and a::T, /?::T o /3 ft S(/3) 

The principal type synthesis algorithm is correct, as shown by the following theorem; note that 
K is independent of L and hence is principal. 

Theorem 4.2.1 (Principal Kinds) 

If T h A :: L then there exists K such that T > A ft K and T h A :: K and F F K < S(A :: L), so 
that r h K < L. 

Proof: By induction on the proof of the assumption and cases on the last rule used. 

• Case: Rule 2.20. 

F F ok 
T h6::T 

1 . T>6ftS(6) andT h b :: S (b). 

2. S(b :: T) - S(6). 

3. Thb=b::T, so T F S(6) <S (b). 

• Case: Rule 2.23. 

T F ok 

r Fa :: T(a) 

1 . T > a ft S(a :: r(a)). 

2. By Rules 2.92 and 2.93, Y F S(a :: Y(a)) and T F a :: S(a :: Y{a)). 

3. By reflexivity, Y F S{a :: Y{a)) < S(a :: r(a)). 

• Case: Rule 2.24. 

T, a::K' \~ A :: L" 

Y F \a::K'.A :: II a::K f .L" 
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1. By the inductive hypothesis T, a::K' > A -ft- K", 

2. r ,a::K' b A :: K", 

3. and T, a::K' b K" < S(bl :: L"). 

4. Then T > A ar.K'.A ft Ha::K'.K" 

5. and T b (A ar.K'.A) :: (n ar.K'.K"). 

6. Now T, a::K' b (A a::K'.A) a = A :: L" by weakening and Rule 2.107, 

7. so T,a::K' b S {A :: L") < S{{\a::K'.A) a :: L") by Rule 2.95. 

8. Since S(A ar.K'.A :: Uar.K'.L") = Uar.K 1 .S{(Xar.K'.A) a :: L") 

9. and T b K' < K', 

10. we have V b Uar.K'.K” < S{Xar.K'.A :: IIa::R:'.L"). 

• Case: Rule 2.25. 

ri-4:: L'-*L" V b A' r. 1/ 
rbj4il'::L" 

1. By the inductive hypothesis F > .4 ft K 

2. T b A::K 

3. and T b K < S(A :: L'^L"). 

4. Now S(A :: L'-^L") = Ua::L'.S(Aa :: L") where a £ FV(A) U FV(L"). 

5. By inversion of subkinding, K = IT ar.K’.K", 

6. r b L 1 < K\ 

7. and r,a::L' b K" < S(Aa :: L"). 

8 . Then A A' ft [A'/a]K". 

9. By subsumption, T b A' :: K', so 

10. rhid':: [A'/ajiT'. 

11. Finally, by Lemma 3.3.2 and Proposition 3.1.11 applied to line 7 we have 
r b [A'/a]K" < S(AA' :: L"). 

• Case: Rule 2.27 

rhd:: E ar.L'.L" 

r b 7Ti^4 :: L' 

1. By the inductive hypothesis, r > A ft K, 

2. Tb Ar.K, 

3. and T b K < S(A :: Zar.L'.L"). 

4. Now S(A :: E ar.L'.L") = S(tti^ :: L')xS{tt 2 A :: [niA/a]L"). 

5. By inversion of subkinding, K = T,a::K' .K", 

6. and T b K' < S(ttiAI :: L'). 

7. Finally, T > tt]A ft K' 

8. and T b it\A r. K'. 
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• Case: Rule 2.28 


Thi:: E av.L'.L" 

T h 7T‘jA :: [7Tiy4/«]L" 

1. By the inductive hypothesis. T > A ft K, 

2. T\~ A-.-.K, 

3. and T\~ K <S(A:: E ar.L'.L"). 

4. Now S(A :: S ar.L'.L") = S(tti A :: L')xS{it 2 A :: [v x A/a\L"). 

5. By inversion of subkinding, K = E nr.K'.K", 

6. r b K' < S(?ri^4 :: L'), 

7. and T,a::K' b K" < S{i: 2 A :: [mA/a]L"). 

8. Then r\-ir x A:: K'. 

9. so by Proposition 3.1.11 applied to line 7, T b [7Ti^4/< S(7T2^4 :: [i:\Aloi\L"). 

10. Finally, T > 7r 2 ^4 ft [niA/o^K" 

11. and T b n 2 A :: {niA/c^K". 

• Case: Rule 2.26 

r\-A'::L’ T b A" :: L" 

Fb {A', A") :: L'xL" 

1. By the inductive hypothesis, T t> A' ft K ', 

2. r b A! :: K', 

3. r b K' < S(i4' :: L'), 

4 . robTftir', 

5 . r b A" :: K", 

6 . and r b K" < S{A" :: L"). 

7. Then r > (A 1 , A") ft K'xK", 

8. and Tb {A', A") :: TCxK". 

9. Now S((A',A") :: L'xL") = S(tti {A', A") :: L')xS(7r 2 ft4',v4") :: L"). 

10. By Rule 2.95, T b S(,4' :: L') < Sfo (A 1 , A") :: L') 

11. and T b S(^" :: L") < S{it 2 (A',A") :: L"). 

12. Therefore, T b K'xK" < S((A',bl") :: L'xL"). 


• Case: Rule 2.29 


T b A :: T 
r b ,4 :: S(yl) 


By the inductive hypothesis, noting that S(j4 :: S(j4)) = S(A). 
• Case: Rule 2.31 


r, av.K' b A a :: K" 
TbA:: Uar.L'.L" T b K' = L' 

F\- A:: Ila::K'.K" 
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1. By the inductive hypothesis, r > A -ft- K, 

2 . r k A :: K, 

3. and T I -K< S(A :: II a::L' v L'{). 

4. Now S(A :: n a::L' v L'{) = Ua::L'.S{Aa :: L'{) 

5. so by inversion K = Uar.K'.K" 

6. and T k L\ < K'. 

7. Since r k L' = L \, we have r k 1/ < L\ and hence r k 1/ < K'. 

8. Also by the inductive hypothesis, T, a::L' > A a ff K", 

9. T,a::L' \- Aa:: K%, 

10. and r, a::L' h K" < S(Aa :: L"). 

11. But since the principal kind synthesis algorithm is deterministic and clearly obeys 
weakening, we have K '2 — [a/a]K" = K". 

12. Now S (A :: Uav.L'.L") = Ua::L'.S{Aa :: L"). 

13. Therefore T h Ua::K'.K" < S {A :: n a-.-.L'.L"). 

• Case: Rule 2.30. 

T k mA :: L' T h 7r 2 A :: L" 
r h A :: L'xL" 

1. There is a subderivation T h A :: K\ for some kind K\ (see Proposition 4.4.1 below). 

2. By the inductive hypothesis, T i> 7 TiA i) K', 

3. T h 7Ti A :: K', 

4. and T h K' < S(7T!A :: L'). 

5. Also, T > tt 2 A t K", 

6 . T k 7 t 2 A :: K\ 

7. and r k K" < S(tt 2 A :: [niA/a]L"). 

8. Principal kind synthesis never returns a dependent S type, so for kind synthesis for 
7Ti A and 7 r 2 A to have succeeded it must be that F > A ft K'xK". 

9. By the inductive hypothesis, T k A :: K'xK". 

10. Since S(A :: S av.L'.L") = S^A :: L')xS(7r 2 A :: [tti A/a}L"), 

11. T k K'xK" < S(A :: Ea::L'.L"). 

12. so by the inductive hypothesis T k A :: K. 

• Rule 2.32 

r k A :: L 2 r k L 2 < L 
r k A :: L 

The desired result follows from the inductive hypothesis and by Rule 2.95 to get 
T k S(A :: £ 2 ) < S(A :: L). 

I 
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Kind validity 

r>T 

r>s(j4) ifr>y4n=T 

r > Unr.K'.K" if r t> K' and T, a::K' > K". 

T > S av.K'.K" if T > K' and T. a::K' > K". 

Subkinding 

T > T < T 

r>S(y4) < T 
r>s(Ai) < s(a 2 ) 

r>Yla::K[.K{ < Ua::K' 2 .K!{ 
r»Ecv::K'.K" < S a::K! 2 .K$ 

Kind equivalence 

r > t <£> t 
r>s(^) s { a 2 ) 

r> Y[a::K\.L\ <=> Ha::K 2 .L 2 
r>S«::Ki.L ] <!=> £ a::K 2 .L 2 

Figure 4.2: Algorithms for Kinds 


always 

always 

if T > A\ A 2 :: T. 

if T o K! 2 < K[ and r, a::K! 2 t> K" < K". 
if T > K[ < K' 2 and T, a::K[ > K" < K". 

always 

if r > A l <=> A 2 :: T 

if T t> K\ K 2 and T, a\:K\ t> L\ L 2 
if T > Ki K 2 and T, a::K\ > L\ L 2 


4.3 Algorithms for Kind and Constructor Judgments 

Figure 4.2 gives algorithms for determining kind validity, subkinding, and kind equivalence. Each 
is specified as a deterministic set of inference rules. The symbol t> is used instead of b to distinguish 
these as algorithmic judgments. 

The kind validity judgment 

T\>K 

models the declarative kind validity judgment Fhlf. Viewed as an algorithm this takes a well- 
formed context T and a kind K and determines whether there is a proof of F I K. For any 
conclusion, at most one rule could apply; there is one rule for each syntactic form that K might 
have. 

The subkinding judgment 

r > K] < k 2 

models the declarative subkinding judgment F h K\ < K 2 . As an algorithm, given kinds satisfying 
T\-Ki and F I- K 2 it determines whether there is a proof r t- K\ < k 2 . 

Similarly, the kind equivalence judgment 

T t> Ki & K 2 

models declarative equivalence; given two kinds satisfying T I K\ and F F AF it determines whether 
there is a proof r I- K\ = K 2 . 


Figure 4.3 shows the algorithms for determining the well-formedness of constructors. The kind 
synthesis judgment 


r> a k 
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Kind synthesis 
r > Int =4 S(lnt) 

Yt> x z=i S(x :: T-^T^T) 
Tt> 4 S(-^:: T-^T->T) 
r»a=4 S(a :: Y(a)) 
Y»\a::K'.A^Ila::K f .K" 
Yt>AA' =4 [A'/a]K" 
r»(A',A") =4 K'xif" 

T t> 7 Ti^4 =4 K 7 

r > 7T2^4 =4 [7TiA/a]K" 


if a € dom(r). 

if r t >K f and r, a::K f > A =4 K". 
if r > A =4 Ylav.K'.K" and T > A fc= K'. 
if r > A' =4 K' and Y>A"=1 K\ 
if r > yl Za::K f .K" 
ifr>A=tZa::K f .K” 


Kind checking 

Y \> At^ K if T t> A =£ L and Y\> L < K. 


Figure 4.3: Algorithms for Constructor Validity 


combines constructor validity checking with principal kind synthesis. As an algorithm, given a 
well-formed context Y and a constructor A it returns a principal kind K of A if A is well-formed 
(i.e., if it can be given any kind at all) and fails otherwise. 

Because all well-formed constructors have principal kinds, it is easy to define a kind checking 
judgment 

Y>A^K. 

which directly models the constructor validity checking. Given a context and kind satisfying Y Y K 
and constructor A, this algorithm determines whether Y Y A :: K holds. 

The judgments involved in constructor equivalence are shown in Figure 4.4. Following Co- 
quand [Coq91] equivalence is determined in a direct fashion rather than by independently normal¬ 
izing the two constructors and comparing normal forms (but see §5.5). 

My algorithm is more involved than Coquand’s because of the context and kind-dependence 
of equivalence. The algorithmic constructor equivalence rules are divided into a kind-directed 
part and a structure-directed part, while Coquand needs only structural comparison. Weak head 
normalization is extended to include looking for definitions in the context. I have also extended 
the algorithm in a natural fashion to handle E kinds, pairing, and projection. 

The algorithm uses the notion of an elimination context ; this is a series of applications to and 
projections from “o”, which is called the context’s hole, If £ is such a context, then £[A\ represents 
the constructor resulting by replacing the hole in £ with A. If a constructor is either of the form 
£[a] or of the form £[c\ then this will be called a path and denoted by p. (Recall that c ranges over 
constant type constructors.) 

£ o 

. | £A 

I k\£ 

I 7T2£ 

The kind extraction relation is written 

T > p t K. 
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Kind Extraction 

r>6|T 

r> x t T->(T -4 T) 
r> t-^(t -> t) 
r> a t r(«) 
r t> 7Ti p t k' 
r > 7 T 2 p t [tT] p//3]K" 

T>pAt[A/(3}K" 

Weak head reduction 

T > £[{Xa::K.A) A'} ^ £{[A'la)A] 

T>£[n(A u A 2 )]^£[A 1 } 

T>£[n 2 (A l ,A 2 )}^£[A 2 ] 

r >£[a]^B if r><f[o] t S(B) 

Weak head normalization 

r o A 4 B if r > ^4 ^ v4 r and T t> A' JJ. B 

T > B JJ. B otherwise 

Algorithmic constructor equivalence 

r > A\ A 2 :: T if T > A\ JJ. p\ , T > A 2 -U- P 2 , and r > p\ «4 p 2 t T 

r > A\ <*=> A 2 :: S (B) always 

r > Ai & A 2 :: Har.K'.K" if Y,a:.K' > A\ o O A 2 a :: K" 

r> Ai & A 2 :: Zcc-.K'.K" if T>ix x A l & n X A 2 :: K' 

and T > 1^2A\ n-iA-i :: [- KiA\/a]K" 

Algorithmic path equivalence 

r > b <4 b t T 
r>XHxt T—>(T -4- T) 
r» T—>(T -4 T) 

r t> a «4 a f T(a) 

r»piAi P 2 A 2 t [Ai/o]/if w if T >p\ «4 ]>■> t Ua::K' .K" and F > A\ <=$■ A 2 :: K' 

T t> 7ripi -H- 7 TiP 2 t K' if T > pi <4 P 2 t So r.-.K'.K" 

T > 7T2Pi <4 7T2P2 f [^iPi/ if T >pi o P 2 t S ar.K'.K" 


Figure 4.4: Kind and Constructor Equivalence Algorithms 


if T >p t ’Sfty.K'.K" 
if T>p t Y,/3::K'.K" 
if r i> p t Ufiy-K'.K" 
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Given a well-formed context V and p which is well-formed in this context, kind extraction attempts 
to determine a kind for a path by taking the kind of the head variable or constant and doing 
appropriate substitutions and projections. A path is said to have a definition if its extracted kind 
is a singleton kind S(J5); in this case B is said to be the definition of the path. 

The extracted kind is not always the most precise kind. For example, a::T t> a f T but the 
principal kind of a in this context would be S(a). Intuitively the extracted kind is the most precise 
kind which can be assigned without the singleton introduction rule, or Rules 2.30 and 2.31 which 
can be viewed as extending singleton introduction to higher kinds. This suffices to make S(p :: K) 
principal for p if K is its extracted kind. 

The weak head reduction relation 

F > A ^ B 

takes T and A and returns the result of applying one step of head /3-reduction if A has such a redex. 
If the head of A is a path with a definition reduction then the definition is returned. Otherwise, 
there is no weak head reduct. 

The weak head normalization relation 


r 

takes T and A and repeatedly applies weak head reduction to A until a weak head normal form is 
found. Weak head reduction and weak head normalization are deterministic, since the head /3-redex 
is always unique if one exists, and a path can have at most one prefix with a definition. 

The algorithmic constructor equivalence relation 


r t> A\ A 2 K 

models the declarative judgment r b A\ = A 2 :: K on well-formed constructors. As an algorithm 
this is defined by induction/recursion on the kind at which the two constructors are being compared. 
At II and S kinds the algorithm uses extensionality to reduce the problem to comparisons of 
constructors at kinds whose size is strictly smaller. When comparing two constructors at a singleton 
kind the algorithm can immediately report success because we only care about inputs where T h 
A\ :: K and T h A 2 :: K; if K = S (B) then A\ = B = A 2 automatically. Finally, if we are 
comparing two constructors of kind T then the algorithm must do some real work. This consists of 
head-normalizing the two constructors, which (if the process terminates) yields two paths without 
definitions. Then the paths are compared component-wise. 

This component-wise comparison is specified by the algorithmic path equivalence relation 

T> Pl ++ p 2 t K. 

Given two well-formed head-normal paths T F pi :: K\ and T h P 2 :: 7^2 > this should succeed 
yielding K if and only if T b p\ = p 2 '• K and K is the extracted kind of p\ with respect to 
T. The only question that arises when writing down these rules is in the case for comparing two 
applications. If the two function parts are recursively found to be equal, the two arguments must 
then be compared. Since the two arguments need not be in normal form, they must be compared 
using the ^ judgment; in this case we must decide at which kind the two arguments should be 
compared. 

The right answer is the domain kind of the extracted kind of the function parts, which (by 
Lemma 4.4.2) below is the same as the domain kind of the principal kind of the function parts. 
Assume we want to compare p\ A\ and P 2 A 2 using the typing context T, and that the principal 
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kind of pi (and P 2 , since they have been verified equivalent) is Ylcr/.K' .K". Then this is the least 
kind at which the two paths are provably equal, and hence by contravariance the domain kind is 
greatest. By comparing A \ and A 2 at kind K', then, we have the best chance of proving them 
equal. (Two constructors equivalent at a subtype will be equivalent at a supertype, but not vice 
versa.) Thus to find as many equivalences as possible K' is intuitively the correct kind for the 
algorithm to compare function arguments. Since the extracted kind agrees with the principal kind 
in negative positions, and it suffices to look at the domain of the extracted function kind rather 
than computing the full principal kind. 


As an example, let T = /3::(S(lnt)-4T)—»T. Then: 


T > ft (A«::T.«) & ft (A«::T.lnt) :: T 

because T > ft (ArvuT.O') (1 ft (AouT-o) 
and r>/9(A«::T.lnt) ^/3 (Arv::T.lnt) 
and T t> ft (Xav.T.a) o ft (Arv::T.lnt) t T 
because T > ft ft | (S(lnt)—>T)—>-T 
and T > (A«::T.o) & (A«::T.lnt) :: | S(lnt)->T | 

because T, o:::S(lnt) > (A«::T.a) O' •£> (AouT.Int) o :: T 
because T, o::S(lnt) c> (Ao::T.o) o JJ. Int 
and r,o::S(lnt) t> (AouT.Int) o (1 Int 
and T, o::S(lnt) > Int Int t T. 


4.4 Soundness of the Algorithmic Judgments 

In order to show soundness of the constructor equivalence algorithm I first show that given a well- 
formed path, kind extraction succeeds and returns a valid kind for this path using induction on 
the well-formedness proof for the path. (Compare the statement of Theorem 4.2.1 above and of 
Lemma 4.4.2 below.) 

Proposition 4,4.1 

J/r h £[A] :: L then there is a subderivation of the form, T h A :: K. 

Proof: By induction on the kinding derivation. If £ = o then the result follows trivially; otherwise, 
the result follows by the inductive hypothesis. I 

Lemma 4.4.2 

If T b p :: K then there exists L such that F > p t L. F b p :: L, and F \~ S (p :: L) < K. 

Proof: By induction on the proof of the hypothesis. 

• Case: Rule 2.20. p — b. 

1. Then T > b t T and S(6 :: T) - S(6). 

2. By Rule 2.20, F b b :: T 

3. and by Rule 2.11, F h S(6) < T. 

• Case: Rules 2.21 and 2.22. Similar to previous case, using admissible rule 2.94. 

• Case: Rule 2.23. p — a. 
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1. Then T > a f r(a). 

2. By Rule 2.23 Y ha:: T(a), 

3. and by Rule 2.94, Y h S(a :: T{a)) < T(a). 

• Case: Rule 2.25. 

r h p :: K'^K" Y h A! :: X' 

T \-pA' :: K" 

1. By the inductive hypothesis, T>p f Yia::L' .L'\ 

2. T h p :: narrL'.T", and 

3. T h S(p :: IIa::L'.L") < K'^K". 

4. Then Top A' | [A'/a]L". 

5. Since S(p :: Ua::L'.L") = Ylor.:L'.S{p a :: L"), 

6. we have by inversion of Rule 2.14 that Y \- K' < L' and T, a::K' h S(p a :: L") < K" 
where a 0 FV (K") and a £ dom(r). 

7. By subsumption, Y \~ A 1 :: L' 

8. and hence T h p A! :: [A 1 /a]L" by Rule 2.98. 

9. Finally, by substitution we have F h S (p A' :: [A 1 /a]L") < K". 

• Case: Rule 2.27. 

r h p :: Zav.K'.K" 

F h Trip :: K' 

1. By the inductive hypothesis, r >p f L, 

2. Y h p :: L, and 

3. T h S(p :: L) < Zorr.K'.K'. 

4. By inversion S (p :: L) must be a S kind, and so L' — ’Sar.L'.L" for some L' and L". 

5. Then Y > 7Tip f L', 

6. and by Rule 2.27, T h n\p :: L'. 

7. Since S(p :: S av.L'.L") = S(irip :: L')xS(n 2 P :: [nip/a]L"), 

8. by inversion of rule 2.15 we have T h S (7r ip :: L') < K'. 

• Case: Rule 2.28. 

r h p :: Ea::A'.A" 

Y h 7T2P :: [n\p/a]K' 

1. As in the previous case, r >p f S a::L'.L", 

2. r h p :: £ ar.L'.L", and 

3. r h S{p :: Y,a::L'.L") < Xa::K'.K". 

4. Then T > 7T2 p t [tti p/a]L", 

5. and T h 1 T 2 P ■■ [irip/a]L" by Rule 2.28. 

6. Since S(p :: Eay.L'.L") = S(7Tip :: L')xS(iT 2 P ■■ [tti p/a]L"), 

7. by inversion of Rule 2.15 r,a::S(7rip :: L') h S(7T2P :: [ 1 Kip/a]L■") < K". 

8. Then T h 7Tip :: S^ip' :: L') 
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9. so by Proposition 3.1.11 we have T b S(7r 2 p :: [ttip/ a]L") < [n\p/a]K". 

• Case: Rule 2.29 

Tbp:: T 
P b p:: S (p) 

1. By the inductive hypothesis, T >p f L, 

2. r b p :: L, 

3. and T b S (p :: L ) < T. 

4. Thus L is either T or a singleton, and S (p :: L) = S(p). 

5. and by reflexivity, 1' b S (p) < S(p). 

• Case: Rule 2.30. 

T b 7r,p :: K' T b 7rap :: K" 
r b p :: K'/K" 

1. By Proposition 4.4.1 and the inductive hypothesis, rt>pt So 

2. r b p :: S a::L'.L", 

3. r > nip t l', 

4. r b 7 up :: L', 

5. T b S(7rip :: L') < K', 

6. T > 7 r 2 p t [tti p/a\L", 

7. T b 7 r 2 p :: [7np/«]L", 

8. and T b Sfop :: [TTip/aJL") < K". 

9. Thus T b S (p :: So::T'.L") < K'xK" 

• Case: Rule 2.31. 

r, a::K' b pa :: K" 
r b p :: Ua::L'.L" T b K' = L' 

r bp:: rkrn/C.lC' 

1. By the inductive hypothesis, T>p t II a::L'.L", 

2. r b p :: Ua::L'.L", 

3. and T b (na::L'.S(po :: L")) < Tla::K'.K'(. 

4. By inversion, r b K' < L'. 

5. By the inductive hypothesis, and determinacy and weakening of the kind extraction 
algorithm, T, a::K' > pat L" 

6. and T,a::K' b S(pa :: L") < K". 

7. Therefore, T b no::L'.S(po :: L") < n cr.:K'.K". 

• Case: Rule 2.32. 

Y \~ p :: K\ T b K x < K 2 
rbp:: ~K 2 

1. By the inductive hypothesis, Y >p f L, 

2. Y h p :: L, 
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3. and Tb S (p :: L) < K x . 

4. By transitivity, ThS (p :: L) < K%. 

■ 


Corollary 4.4.3 

IfV\-£\p] :: K and r>pt S(A) then T b £\p] = £[A] :: K. 

Proof: 

1. By Lemma 4.4.2, T o £\p] f L, 

2. T b £[p] :: L, 

3. and T b S(£[p] :: L) < K. 

4. By the determinacy of kind extraction, this can be reconciled with F c> p 4 S(44) only if £ = o 
and L = S(j4). 

5. Thus r h p = A :: T. 

6. and S(£[p] :: L) = S(p). 

7. By inversion of subkinding, either K = T or K = S(A') with rhpEA'::T. 

8. In either case, r b p = A :: K. 

9. That is, T h £\p] = 5[A] :: K as desired. 


Proposition 4.4.4 

//Fh A a::K'.A :: L then T,a::K' h A :: K" for some kind K". 

Proof: By induction on derivations. For proofs ending with Rule 2.24 the desired result is given 
directly; for Rules 2.31 and 2.32, the result follows directly by the inductive hypothesis. I 

Proposition 4.4.5 

IfT h £[(\a::L.A) A!] :: K then T h £[(Xa::L.A) A'] = £[[A'/a\A} :: K 
Proof: By induction on the given derivation. 

• Case: 

r h A a-L'.A :: Uar.K'.K" T b A ':: K' 
r h (Aa::L , . J 4)^ , :: {A r /a\K r ' 

where £ = o. 

1. Using Proposition 4.4.4 and the correctness of principal kind synthesis we have 
T,a::L't>AiiL", 

2. T,a::L' \~ A :: L", 

3. T>\a::L'.A ft Ha::L'.L", 

4. T b Xar.L'.A :: Uar.L'.L", 

5. and T b Ua::L'.L" < Ua::K'.K". 
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6. By inversion, T b K' < L' 

7. and T, a::K' b L" < K". 

8. By subsumption, T b A ':: L'. 

9. Thus T b (\a::L.A) A' = [A'/a\A :: [A'/a]L" by Rule 2.107. 

10. By substitution T b [A'/oi\L" < [A'/a]K". 

11. Therefore by subsumption we have I b (\n::L.A) A' = [A'/ojA :: [A'/a\K" 

• All other cases follow by structural rules and reflexivity of declarative equivalence. 

■ 


Proposition 4.4.6 

1. If r b £[nM',A")] :: K then T b £[ k ] (A 1 , A")} = £[A') :: K. 

2. IJT b £[i t 2 (A', A")} :: K then T b £[ir 2 {A',A")] = S[A") :: K. 

3. 7/T b (A', A") :: Zar.K'.K" then V b A' :: AT' and T b A" :: [AVo]^". 


Proof: 


1 . 


2 . 


3. 


• Case: 

rb {A', A") :: Ea::K'.K" 

R b 7ri(A', A") :: AT' 

where £ = o. 

(a) Inductively by Part 3, T b A' :: K' 

(b) and T b A" :: [. A'/a]K 

(c) The desired result follows by Rule 2.108. 

• The remaining cases follow by structural rules and reflexivity. 

• Case: 

Tb (A', A") :: Zar.K'.K" 

T b 7r 2 <A',A") :: [tti (A', A")/a]K” 

where £ = o. 

(a) Inductively by Part 3, T b A ':: K' 

(b) and r b A" :: [A'/a]K". 

(c) By Rule 2.109, T b i r 2 (A', A") = A" :: [A'/a]K". 

(d) As in Part 1, T b £\i r^A', A")] = £[A'\ :: K. 

(e) By validity and inversion, r. n::K' b K" 

(f) so by functionality, T b [k\{A\ A")/a]K" = [A'/a]K". 

(g) Thus by subsumption we have T b ^(A', A") :: [ r K\{A', A")/a]K". 

• The remaining cases follow by structural rules and reflexivity. 

• Case: 

r b A] :: K' T b A 2 :: K" 
r b (Ai,A 2 ) :: at'xa:" 

Obvious. 
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• Case: 


T b ZawK'.K" 
r b ni(A', A") :: K' 

Thi: 2 (A',A") :: fa (A', A")/a]K" 

T b (A', A") :: E awK'.K" 

(a) Inductively by part 1, T b tt\(A'. A") = A' :: X'. 

(b) Inductively by part 2, V b Tr 2 (A',A") = ,4" :: fa(A', A" >/<*]#"• 

(c) By inversion and functionality, T b fa (A', A")/a]K" = [A'/a]K". 

(d) Thus by validity, subsumption and Proposition 3.1.1, T b A! :: K' 

(e) and T b A" :: [A'/a]K". 

• Case: 

Tb (A 1 , A") ::Ki 
r b K x < E awK'.K" 

r b (A', A") :: 'Zotv.K'.K" 

(a) By inversion, K\ = EauKj.if", 

(b) r b K[< K\ 

(c) and T, awK[ b K'{ < K". 

(d) By the inductive hypothesis, r b A' :: K[ 

(e) and P b A" :: [A'/a]K'{. 

(f) By substitution, T b [A'/oi\K" < [A!/a]K". 

(g) Then the desired results follow by subsumption. 

■ 


Corollary 4.4.7 

IfT b A :: K and T > A ^ B then T\-A = B:iK. 

Proof: By transitivity and reflexivity of declarative equivalence, it suffices to show that if F b 
Aw K and T > A ^ B then r b A = B :: K . But all possibilities for the reduction step are covered 
by Corollary 4.4.3, Proposition 4.4.5, and Proposition 4.4.6. I 

Proposition 4.4.8 

IfT b £[AA f ] :: L then there exists a kind such that Thi:: K f -^K n and T b A! :: K *. 

Proof: By induction on typing derivations. If £ = o and the proof concludes with a use of the 
application rule 2.25 then the result follows by inversion; in all other cases, the result follows by 
the inductive hypothesis. I 

Theorem 4.4.9 (Soundness) 

1 jj, p |_ ^ K, r b A 2 :: K, and T > A\ A 2 :: K then T b A\ = A 2 :: K. 

2. If T b pi :: K\, T b P 2 :: i^ 2 ? and T >pi P 2 t K then T h pi = p 2 :: K. 

3 . IfThKi, T^K 2 , and T\> Ki < K 2 thenT \-K x <K 2 . 

4. If T b K u T b K 2 , and r > Ki ^ if 2 then T\~K l = K 2 . 

5. J/T ho* and r>if then T b X . 
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6. If r b ok and r i> A K then T h A :: K and T t> A ft K. 

7. If T h if and T> At= K then T h A :: K. 

Proof: By (simultaneous) induction on proofs of the algorithmic judgments (i.e., by induction on 
the execution of the algorithms). I 
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Chapter 5 

Completeness and Decidability for 
Constructors and Kinds 


5.1 Introduction 

Correctness of the algorithms for constructor and kind judgment can easily be seen to reduce 
to correctness of the algorithm for constructor equivalence. Since the algorithms of the previous 
chapter are sound, it suffices to prove completeness of the constructor equivalence algorithm (i.e., 
if T b A\ = A 2 :: K then r > A\ A^ :: K) and that this algorithm will terminate with an answer 
for all well-formed inputs. 

It is instructive to see why the direct approach of proving completeness by induction on the 
derivation of F b A\ = A 2 :: K fails. We immediately run into trouble with such rules as Rule 2.37: 

r h A == A' :: K'^K” Y b A 1 == A[ :: K f 
Y\~A l = A 2 A' 2 :: K" ~ 

Here we would have by the induction hypothesis that Y>A A ! :: K'—tK” and F\>Ai<$ A[ :: K f . 
However, there appears to be no way to show directly that these imply T > A\ A[ <^> A 2 A' 2 :: K n 
because the algorithm proceeds via head-normalization rather than comparing the applications 
component-wise. 

Similarly, in Rule 2.44 

r h A :: S(B) 
rhA = B::S(B) 

there is no way to apply the induction hypothesis and hence no way to show the conclusion. 

Coquand [Coq91] proves the completeness of an equivalence algorithm for a lambda calculus with 
n types using a form of Kripke logical relations. The key idea is to prove completeness by defining 
a relation (here called logical equivalence) which not only implies algorithmic equivalence, but also 
satisfies stronger properties. For example, if two functions are logically related then their application 
to logically-related arguments yields logically-related applications. By proving inductively that 
declarative equivalence implies logical equivalence, we have strengthened the induction hypothesis 
enough to allow cases such as Rule 2.37 and 2.44 to go through. 

I have substantially extended this approach to handle singleton kinds, as well as pairs and 
subkinding. However, one essential obstacle remains: declarative equivalence is transitive and 
symmetric, which requires showing that logical equivalence is transitive and symmetric. Since 
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logical equivalence is defined in terms of the equivalence algorithm, this requires showing that 
algorithmic equivalence is both symmetric and transitive. Surprisingly, this is not at all obvious. 

The difficulty is that the presentation of the algorithm is inherently asymmetric. Because of 
dependencies in the kinds, at various points one must make a choice between one of two provably 
equal kinds. For example, verifying 


T>A l ^A 2 ::'Za::K'.K" 


requires checking that 


T > n\A\ 'K\A 2 :: K f 


and either 

T > 7t 2 Ai ix 2 A 2 :: [n\A\/a]K ff 


or 

r>7i 2 A\ & 7T2^2 [tt] A 2 / (y]K ,f . 

(Similar alternatives also appear in the definitions of path equivalence and kind equivalence as 
well.) Although the kinds [k\ A\/a]K' f and [7T\A 2 /a]K /f will be provably equivalent, each choice 
leads to different definitions in the context and may cause head-normalization to take an entirely 
different path. If the algorithm is correct then it should end up with the same answer in either 
case, but I am unable to give a direct proof that this is true. 

The algorithm could be forced to be more symmetric by adding conditions, e.g., by specifying 
that 

T>A { A 2 :: Za::K f .K" 


requires 


and 


and 


T > tt\A\ 7 T\ A 2 :: K ! 

rt>7T2Ai <=$ 7r 2 A 2 y [ix\A\la\K n 
T > <=> H2A2 :: [n\ A 2 /a]K ,f , 


but the problem of showing transitivity remains. 


In §5.2 I give a revised form for the constructor and kind equivalence algorithms, designed 
specifically to make both transitivity and symmetry obvious. This leads to a nonstandard form of 
Kripke-style logical relation, described in §5.3; using this I show the revised equivalence algorithms 
are terminating and complete with respect to MILo equivalence. Finally, since the revised algorithm 
requires redundant bookkeeping, I show in §5.4 that the correctness of the revised algorithm implies 
the completeness and termination of the equivalence algorithm presented in the previous chapter, 
which forms the basis of the TILT implementation. It follows that all kind and constructor-level 
judgments are decidable. 


5.2 A Symmetric and Transitive Algorithm 

5.2.1 Definition 

The way to build transitivity into constructor and kind equivalence is to maintain two provably 
equal typing contexts and two (provably equal) classifying kinds. Then the form of algorithmic 
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constructor equivalence becomes 


Fi > A\ :: K\ ^ T 2 t> A2 :: 7^2* 

Although the expectation is that the algorithm will only be applied when T\ h A\ :: K\ and 
T 2 h A 2 :: if 2 , this is not a comparison of judgments but merely suggestive notation for a 6-place 
relation. The algorithm takes these 6 inputs and returns success or failure (or fails to terminate). 

The advantage of this formulation is that arbitrary choices disappear. For example, the com¬ 
parison 

Ti > Ai :: Xa::K[.K% & V 2 > A 2 :: 
between two pairs of constructors checks 


Ti > TTiAi :: K[ <=> F 2 > 7TiA 2 :: K' 2 

and 

r 1 1 > / k 2 A\ :: {k 1 AiIq\K i {^Y 2 >^ 2 A 2 :: • 

Both of the possible substitutions are used, in a symmetric fashion. 

Similarly the algorithmic path equivalence relation takes the form 

Ti > P i f K\ «-» T 2 >P 2 t K21 

and algorithmic kind equivalence becomes 

Ti > K\ Y 2 t> i^2- 

The full definitions of the revised algorithm are shown in Figure 5.1. (The kind extraction, 
weak head reduction, and weak head normalization judgments are unchanged.) It is simple to show 
that these definitions have the required behavior: 

Lemma 5.2.1 (Algorithmic Symmetry and Transitivity) 

1 . If r 1 > A\ :: K\ T2 > A2 *• K2 then T2 > A2 ** K2 ^ t> A\ :: K \. 

2 . If r 1 > A\ :: K\ T2 > A2 :: K2 and Y2 > A2 :: K 2 4 => T3 i> A3 :: K% then 

Yi > A\ :: K\ 4=^ > A3 :: K 3 . 

3 . If Ti > pi t K\ T2 > P2 t K2 then Y2 > P2 t 7^2 ^ Ti t> pi f 7 Ti. 

o T 2 e>P 2 T 7^2 ar id T 2 i>P 2 t 7^2 ^ r*3 ^7^3 T 7^3 then 

ri >pi t tg r 3 D>p 3 1 at 3 . 

5 . J/Ti > i ^ T2 > 7^2 then Y 2 > K2 ^ Tj > i£i. 

// Ti > Ai r 2 > K2 and T2 > 7^2 ^ r3 > 7^3 then Ti t> if 1 T3 i> 7 ^ 3 . 

Proof: By induction on derivations of the algorithmic judgments (i.e., by induction on the exe¬ 
cution of the algorithms). I 

I have made two changes to the constructor equivalence algorithm beyond those necessary to 
maintain symmetry and transitivity. 

• When comparing two constructors with singleton kinds, the algorithm compares the two 
constructors at kind T rather than short-circuiting with immediate success. 
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• When comparing two constructors with n kinds, the algorithm also compares the domain 
kinds of the two II kinds. 

Intuitively these additions are redundant, but they are useful when proving the existence of normal 
forms of constructors (see §5.5). If this algorithm is sound, complete, and terminating, then it will 
remain so when these redundant extensions are omitted. However, the converse is less obvious; 
a priori these extra tests might cause the algorithm to become nonterminating on some inputs. 
Hence proving the correctness of the algorithm as shown in Figure 5.1 is a stronger result. 

5.2.2 Soundness 

As before, path equivalence computes extracted kinds of paths, but here it extracts the kinds of 
both paths: 

Lemma 5.2.2 

IfT\ t> A\ t K\ r 2 > A 2 t K 2 then Tj > A, f K\ and F 2 > A 2 t K 2 . 

Then proof of soundness for the revised algorithms is very similar to the proof for the original 
algorithmic equivalence: 

Theorem 5.2.3 (Soundness) 

1 . if hr, = r 2? r, \-k, = k 2 , f,fAi - k u f 2 \-a 2 :: k 2 , and r,t> a, -k, <*r 2 >A 2 - k 2 

then F, b A, = A 2 :: K \. 

2. If b F, = T 2 , Ti b p\ :: L \, T 2 b p 2 :: L 2 , and F, >p, f K, T 2 \> p 2 f K 2 then 
Ti b K] = K 2 and F, \~ p, = p 2 :: K,. 

3. If hr ,= r 2? Ti b K u r 2 b K 2 , and T 2 >K 2 then lb b K, = K 2 . 

Proof: Parts 1 and 2 follow by simultaneous induction on the algorithmic judgments and by 
cases on the last step in the algorithmic derivation. I omit the proof of part 3, which follows from 
part 1 and induction. 

1. • Case: Ti t> A, :: T <^> T 2 0 A 2 :: T because Pi > A, p,, P 2 t> A 2 p 2 , and 

Ti >p 1 t T r 2 >p 2 | T. 

(a) By Corollary 4.4.7, Ti b A, = p, :: T 

(b) and T 2 b A 2 = p 2 :: T. 

(c) By Corollary 3.2.8 F, b A 2 = p 2 :: T. 

(d) By Validity, F 1 h p, :: T 

(e) and P 2 b p 2 :: T. 

(f) By the inductive hypothesis, F, b p, = p 2 :: T. 

(g) By symmetry and transitivity of equivalence therefore, F\ b A, = A 2 :: T. 

• Case: F\ t> A, :: S(B ,) 4=> T 2 > A 2 :: S (B 2 ) because F, > A, pi, F 2 > A 2 p 2 , and 
F x t>pi tTf^r 2 op 2 tT. 

(a) As in the previous case, F, b A, = A 2 :: T. 

(b) Then F,F A, = A 2 :: S{A } ) 

(c) but F, b A\ = B, :: T by inversion of kind equivalence, 

(d) so Ti b A\ = A 2 :: S(Bj) by subsumption. 
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Algorithmic constructor equivalence 

Ti > A\ :: T r 2 > A 2 :: T if Ti > A\ JJ. p\ and r 2 > A 2 -IJ-P2 

and Ti >pi t T •H- T 2 >P 2 t T 

I7i > A x :: S(l?i) r 2 > A 2 :: S(B 2 ) if I 1 1 > A\ JJ- p\ and r 2 > A 2 JJ- p 2 

and Ti > pi f T <-* r 2 > p 2 t T 

Ti > Ax :: Ua::K[,K'{ & T 2 > A 2 :: Ua::K' 2 .K'% if Ti, a::K[ >Axa:: K" <S=> T 2 , oc.:K' 2 > A 2 a :: K 2 

and T\> K[ 4=> V 2 t> K 2 

Ti > Ax :: E a::K[.K$ &T 2 >A 2 :: E a::K' 2 .K , { if Tx t> irxAx :: K[& V 2 > tti A 2 :: K' 2 , and 

Ti >tt 2 Ax :: [• K X Ai/a]K" T 2 > 7 r 2 A 2 :: [ 7 riA 2 /a]if 2 

Algorithmic path equivalence 

ri>&tT^r 2 >&tT always 

ri> x t T-4T-4T -o- r 2 > x f T-»T—always 
Ti> ->• t T->T-^T r 2 > ->• | T^T-iT always 
Ti > a t ri(a) <-> r 2 > a "f T 2 (a) always 

Tx\-pxAxt[Ax/a]K” ^ * if r x > Pl t Tlav.K[.K'{ T 2 »p 2 t 

r 2 b p 2 A 2 t [A 2 /a]K![ and Fx > A x :: ^ T 2 > A 2 :: K 2 . 

Ti > 7T1P1 f K[ r 2 > 7Tip 2 f K' 2 if Ti >px t E a::K[.K'{ ^ T 2 >p 2 t E a::K! l .K%. 

Tx b 7 t 2Pi | [7Tipi/a]K" ^ if Ti >pi t S a::K' v K'{ T 2 t>p 2 | S.A" 

r 2 b 7r 2 p 2 t fri p 2 /a\K% 

Algorithmic kind equivalence 

Ti > T ^ r 2 > T always 

Ti > S(Ai) r 2 > S(A 2 ) if r 1 i> A x :: T <$=> T 2 i> A 2 :: T 

r x > Tla::K[.K" T 2 > Ua::K 2 .K 2 if T x > K x & T 2 > K 2 and r x , a::K[ > K” T 2 , a:: 

Tx > E or.:K[.K'{ o V 2 > Ha::K 2 .K 2 if r x t> ^ T 2 > A' and r l5 a::K[ > A" r 2 , a:: 

Figure 5.1: Revised Equivalence Algorithm 
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• Case: Ti c> A\ :: Ua::K[.K” r 2 t> :: Tla::K 2 .K 2 because 

T], or.:K[ > Ai a :: A" o r 2 , «::A' >A 2 a:: A ” and r, > A{ 4^ T 2 t> K' 2 . 

(a) Since b Y\,av.K[ = T 2 ,a::K' 2 , 

(b) r,, a::K[ b A 1 a :: A", 

(c) r 2 ,a::K! i \- A 2 a:: K%, 

(d) and Ti,a::K\ b K" = A", 

(e) the inductive hypothesis applies, yielding T], a::K[ b A\ O' = A 2 a :: K”. 

(f) Thus by Rule 2.42, Tj b A\ = A 2 :: Yln::K[.K^. 

• T] > A\ :: E a::K[.K'{ & T 2 > A 2 :: Ea::K 2 .K 2 because 
Ti t> 7r i A\ :: K[ & T 2 \> ■n\A 2 :: K 2 . and 

T] > 7r 2 A] :: [7Tj A\la]K" T 2 > 77 2 j4 2 " [ttj A 2 /n]K 2 . 

(a) Since F } b 7 Mi :: AJ 

(b) r 2 b 7n^ 2 :: A', 

(c) and by inversion I'i b Aj = K 2 , 

(d) by the inductive hypothesis we have Tj b 77] T] = 7712 I 2 " A(. 

(e) By functionality, T] b [ 771^1 /a]A" = [ 77 ] A 2 /a\K". 

(f) Then T! b 7r 2 yli :: [TnAi/n]K[' 

(g) and r 2 b 7r 2 A 2 :: [niA 2 /a]K 2 . 

(h) By the inductive hypothesis, T 1 b -n 2 A\ = ir 2 A 2 :: [ 77 ] A\/a]K". 

(i) By Corollary 3.2.8 and Rule 2.41, Ti b Ai = A 2 :: E«::A[.A". 

2. • Case: Ti > bi t T T 2 > b{ t T. 

By Proposition 3.1.1, Ti b ok. Thus by Rule 2.33, T] b bj = b-, :: T. 

• Case: Ti > a t P](a) <->■ T 2 > a f r 2 («). 

By Validity and Rule 2.33, Tj b a = a :: Pi (a). 

• Case: Y\>p\A\ J \ [A\/ot}L'[ T 2 t>p 2 A 2 t [A 2 /a]L 2 because 

Ti >pi t Fla.:L\.L'{ <->• T 2 >p 2 t Ua::L' 2 .L 2 and T] > A] :: L\ T 2 t> A 2 :: L 2 . 

(a) By Proposition 4.4.8, Ti bpi :: A(—►Aj', 

(b) Ti b j4) :: K[, 

(c) r 2 b p 2 :: K 2 -^K 2 , 

(d) and T 2 b A 2 :: K' 2 . 

(e) By the inductive hypothesis, Tj b II a::L\.L" = Ua::L' 2 .L 2 . 

(f) and Ti b pi = p 2 :: II a::L[.L". 

(g) By Lemma 4.4.2, Tj b S(pi :: Ua::L[.L'{) < K[^K'{ 

(h) and T 2 b S(p 2 :: Tia::L' 2 .L'J,) < A'^A". 

(i) Thus T] b AJ < L\ 

(j) and r 2 b K' 2 < L 2 . 

(k) By subsumption then, Ti b Ai :: L\ 

(l) and r 2 b A 2 :: L 2 . 

(m) The induction hypothesis applies, and so Tj b A\ = A 2 :: L\. 

( 11 ) Thus P] b p\ A\ =p 2 A 2 :: [Ai/a]L'[ 

(o) and by functionality Ti b [A\/d\L'[ = [A 2 /a]L 2 . 
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• Case: Ti > ii\pi t K\ r 2 > P 2 t &2 because 
Ti t>pi t T,a::K\.Li T2 >P2 1" 

(a) By Proposition 4.4.1 the inductive hypothesis applies, 

(b) so Ti h T,a::Ki.L\ = Hay.K 2 .L 2 

(c) and Ti \-p\ =P 2 :: Hay.K\.L\. 

(d) Thus Ti h iripi = 7 TiP2 •• K\ 

(e) and by inversion, Tj h K\ = K^- 

• Case: Ti > 7r2Pi t [niPi/®\Li «T 2 > tt 2 P 2 t [niP 2 /oi\L 2 because 
Ti >pi Hay.K 1 .L 1 -o- T2 >P2 T H 0 Ly.K 2 .L 2 - 

(a) By Proposition 4.4.1 the inductive hypothesis applies, 

(b) so ri h Hcr.-.Ki.Li = E av.K 2 .L 2 

(c) and Ti hpi =p2 " Ha::K\.L\. 

(d) Thus Ti h 7r 2 pi = 7r 2 p2 ” [kiPi/oi}Li. 

(e) rib Tripi = 7Tip 2 " Ki 

(f) So by functionality, Y 1 h [iripi/a)Li = [: KiP 2 /oi\L 2 

I 


5.3 Completeness of the Revised Algorithms 

To show the completeness and termination for the algorithm I use a modified Kripke-style logical 
relations argument. The strategy for proving completeness of the algorithm is 

1. Define the logical relations; 

2. Show that logically-related constructors are related by the algorithm; 

3. Show that provably-equivalent constructors are logically related. 

From completeness it follows that the algorithm terminates for all well-formed inputs. 

I use A to denote a Kripke world. Worlds are contexts containing no duplicate bound variables; 
the partial order C on worlds is simply the weakening ordering given in Definition 3.1.4. The logical 
relations I use are shown in Figures 5.2, 5.3, and 5.4. 

The logical kind validity relation (A; K ) valid is indexed by the world A and is well-defined by 
induction on the size of kinds. Similarly, the logical constructor validity relation (A; A\ K) valid is 
indexed by a A and defined by induction on the size of K , which must itself be logically valid. 

In addition to validity relations, I have logically-defined binary equivalence relations between 
(logically valid) types and terms. The unusual part of these relations is that rather than being 
a binary relation indexed by a world, they are relations between two kinds or constructors which 
have been determined to be logically valid under two possibly different worlds. Thus the form of 
the equivalence of kinds is (Aj; K\) is (A 2 ; K 2 ) and the form of the equivalence on constructors is 
(Ai;j4i;JCi) is (A 2 ; A 2 ; K 2 ). With this modification, the logical relations are otherwise defined in a 
reasonably familiar manner. At the base and singleton kinds I impose the algorithmic equivalence 
as the definition of the logical relation. At higher kinds I use a Kripke-style logical relations 
interpretation of II and E: functions are related if in all pairs of future worlds related arguments 
yield related results, and pairs are related if their first and second components are related. 
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• (A; K) valid iff 

1. - K = T 

- Or, K = S(A) and (A: A; T) valid 

- Or, K = II a::K'.K" and (A: K') valid and VA' A A, A" A A if 
(A'; A \; K') is (A"; A 2 : K') then (A'; [Ayla\K") is (A"; [A 2 /a\K") 

- Or, K = E or.-.K'.K" and (A: K') valid and VA' A A, A" A A if 
(A'; A,; A') is (A ";A 2 ;K') then (A'; [A\/a]K") is (A ";[A 2 /a]K") 

• (A ^Kx) is (A 2 \K 2 ) iff 

1. (A]; K\) valid and (A 2 ; K 2 ) valid. 

2. And, 

- K\ =T and K 2 = T 

- Or, K\ = S(A]) and K 2 = S(A- 2 ) and (Aj; Aj;T) is (A 2 ;A 2 ;T) 

- Or, Ki = n a::K[.K'( and K 2 = ITauA'.A" and (A];K[) is (A 2 ; K 2 ) and 
VA; A A],A ; 2 a A 2 if (A\\A\\K[) is (A ' 2 .A 2 -.K' 2 ) then 

(A [-Mr/ajKV is (A ' 2 ;[A 2 /a]K!f) 

- Or, Ki = E cr.-.K[.K'{ and K 2 = Ea::K! 2 .K” and (A i; Aj) is {A 2 \K' 2 ) and 
VA; A Ai,A' 2 A A 2 if (A'j ;A\;K[) is (A ' 2 :A 2 :K! 2 ) then 

(A'i! [Ai/a)K") is (A?,; [A 2 /a]K 2 ) 

• (A i; Ki < L x ) is (A 2 ;K 2 <L 2 ) iff 

1. VA'DA 1 ,A'DA 2 if (A \',A\’,K{) is (A' 2 \A 2 \K 2 ) then (A \;Ay,L,) is (A' 2 ;A 2 ;L 2 ). 
Figure 5.2: Logical Relations for Kinds 


With these definitions in hand I construct derived relations. The relation (Ai;Ki < L ]) is 
(A 2 ; K 2 < L 2 ) is defined to satisfy the following “subsumption-like” behavior: 

(A,;^;^) is (A 2 ; A 2 ; K 2 ) 

{A\',K\<L\) is ( A 2 ;K 2 <L 2 ) 

(Ai;Ai;I«i) is (A 2 : A 2 \L 2 ) 

Finally, validity and equivalence relations for substitutions are defined pointwise. 

The first property to be checked is that the logical relations are monotone (preserved when 
passing to future worlds), which corresponds to the weakening property for the algorithmic relations. 

Lemma 5.3.1 (Algorithmic Weakening) 

1. IfT>A^B and T' A T then T' > A B 

2. IfT>Aij.p and T' AT then T' > A JJ. p. 

3. If T > A t K and V A T then V t> Af K. 

4. If Ti t> A x :: K x V 2 > A 2 :: K 2 , T'j A T u and V 2 A F 2 , then T', t> A\ :: K x & r' 2 > A 2 :: K 2 . 

5. If T 1 >A l fK 1 ^T 2 >A 2 fK 2 , r; A Ti , and T' 2 A T 2 , then Tj > A\ ^ K\ T' 2 \> A 2 J [ K 2 . 
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• (A; A; K) valid iff 

1. (A; K) valid 

2. And, 

- K = T and A > A :: T <£> A > A :: T. 

- Or, K = S (B) and (A; A ; T) is (A; B ; T). 

- Or, K = n av.K'.K", and VA' D A, A" D A if (A ; ; B x \K') is (A "\B 2 \K') then 
(A t ;AB l] [Bi/a]K n ) is (A ";AB 2] [B 2 /a}K"). 

- Or, K = Zav.K'.K", (A; -kiA: K') valid and (A;7t 2 A; [k x AI<x]K") valid 

• (A i; A i; K\) is (A 2 -,A 2 ;K 2 ) iff 

1. (Aij/fO is (A 2 'K 2 ) 

2. And, (Ai;Ai;ifi) valid and (A 2 ; A 2 ; K 2 ) valid 

3. And, 

— K\ — K 2 = T and Ai > A x :: T A 2 > A 2 :: T. 

- Or, K x = S(Bi), K 2 = S(B 2 ), and (A i; A i; T) is (A 2 ; A 2 ;T) 

- Or, K x = n.a::K[.K", K 2 = Ua::K^.K^ and VA'j D A U A' 2 D A 2 if 
(A\-B x -K[) is (A'; B 2 -K' 2 ) then 

(Ai; A! Bv, [Bx/a]K?) is (A' 2 ; A 2 R 2 ; [B 2 /a]K%). 

- Or, K x = S a::K[.K? t K 2 = £ cr.iKLKZ, (A i; ttjAi; K[) is (A 2 ;t txA 2 -K' 2 ) and 
(A x;ir 2 A i; [7rxAx/a]K[') is (A 2 ; 7r 2 A 2 ; [*iA 2 /a}KZ) 

Figure 5.3: Logical Relations for Constructors 


• (A; 7 ; T) valid iff 

1 . Va £ dom(r). (A; 7a; 7 (r(a))) valid. 

• (Ai; 7 i;Ti) is (A 2 ; 7 2 ;r 2 ) iff 

1. (Ai; 7 i;Fi) valid and (A 2 ; 72 ; T 2 ) valid 

2 . And, Va G dom(ri) = dom(r 2 ). (Ai;7!a;7i(ri(a))) is (A 2 ;7 2 o:;7 2 (r 2 (a))). 

Figure 5.4: Logical Relations for Substitutions 


89 




6. if rj > k x & r 2 > k 2 , r; d r,, and t' 2 dt 2 , then r' t>if, on,t>if 2 . 

Proof: By induction on algorithmic derivations. I 

Lemma 5.3.2 (Monotonicity) 

1. If (Ai; K\) valid and A\ 3 A] then (Aj;if,) valid. 

2. If (A,; if,) is (A 2 ;if 2 ), A' D A,, and A 2 D A 2 then (A';if,) is (A 2 ;K 2 ). 

3. If (Ai;if, < L\) is (A 2 ;if 2 < L 2 ), A\ D A], and A 2 D A 2 then 
(AijUTi <L,) is (A';if 2 <L 2 ). 

//(A]; A,;if,) valid and A] DA] then (A,; ; if,) valid. 

5. If (A,; A,; if,) is (A 2 ; A 2 ; if 2 ), A' DA,, and A' D A 2 tften (A'^Ajjif,) is (Af>; A 2 ;if 2 ). 

6. If (A; 7 ;T) valid and A'D A f/?,en (A'; 7 ; T) valid. 

V (Ai; 7 i;Fi) is (A 2 ; 7 2 ;T 2 ), A, D A,, and A 2 D A 2 then (Aj; 71 ; Tj) is (A' 2 ; 7 2 ;r 2 ) 

Proof: 

1-5. By induction on the size of kinds. 

6-7. By the previous parts. 

I 

The logical relations obey reflexivity, symmetry, and transitivity properties. The logical rela¬ 
tions were carefully defined so that the following property holds: 

Lemma 5.3.3 (Reflexivity) 

1. (A; if) valid if and only if (A; if) is (A: if). 

2. (A; A; if) valid if and only if (A; A: if) is (A; A; if). 

3. (A; 7 ;T) valid if and only if(A\y;T) is (A; 7 ;T). 

Proof: The “if” direction is immediate from the definitions of the logical relations, so we only 
show the “only if” direction. 

1 . By induction on the size of if. Assume (A; if) valid. 

• Case: if = T. Follows by definition of (A;T) is (A;T). 

• Case: if = S{B). 

(a) (A; B;T) valid. 

(b) A>B :: T 4* At>B :: T. 

(c) Then (A; B; T) valid 

(d) and (A;B;T) is (A; B; T). 

(e) Therefore (A; S(B)) is (A;S(B)). 

• Case: if = IIa::if'.if". 

(a) By (A; Ilauif'.if") valid we have (A; if') valid. 

(b) By the inductive hypothesis, (A; if') is (A; if'). 

(c) Let (A', A") D (A, A) 

(d) and assume (A';Ai;K') is (A"; A 2 ; if'). 
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(e) By (A]Ua::K'.K") valid we have (A'; [A\/oi\K") is (A ";[A 2 /a]K"). 

(f) Therefore (A; Uar.K'.K") is (A; II ar.K'.K"). 

• Case: K = E av.K'.K". 

Same proof as for If case. 

2. By induction on the size of A. Assume (A; A; K ) valid. Then (A; K) valid so that by 
part 1 , (A \K) is (A ]K). 

• Case: K = T. 

(a) (A; A; T) valid implies A>A::T 47 Ai>A::T. 

(b) Therefore, (A;A;T) is (A;A;T). 

• Case: K = S(B). 

(a) (A; A; S (B)) valid implies A > A :: T 4$ A > B :: T. 

(b) By Lemma 5.2.1, A > A :: T A > A :: T, 

(c) so (A; A; T) valid 

(d) and (A; A;T) is (A; A; T). 

(e) Therefore (A; A; S(B)) is (A;A;S(B)). 

• Case: K = Uar.K'.K". 

(a) Let A', A" D A and assume K') is (A"; B 2 ] K'). 

(b) Then (A'; A £1 ;[£!/«]#") is (A ";AB 2 -,[B 2 /a}K"). 

(c) Therefore (A; A; Uar.K'.K") is (A; A; Uar.K'.K"). 

• Case: K = Uar.K'.K". 

(a) Then (A; tx\A\ K') valid 

(b) and (A; ^A; [ 7 Ti A/a]K") valid. 

(c) By the inductive hypothesis, (A; -k\ A; K') is (A; 7 TiA; K') 

(d) and (A; ^A; [^iA/a]K") is (A; t^A; [ttiAIo\K"). 

(e) Therefore (A; A; Uar.K'.K") is (A; A; Uar.K'.K"). 

3. (a) Assume (A; 7 ; T) valid. 

(b) Let x G dom(T) be given. 

(c) Then (A ; 72 ;; 7 (Ta:)) valid. 

(d) By part 2, (A; 7 a:; 7 (Tx)) is (A; 72 :; 7 (Ta:)). 

(e) Therefore (A; 7 ;T) is (A; 7 ;T). 

■ 

I next give a technical lemma which relates logical equivalence of kinds to logical subkinding. 
An easy corollary of this lemma is the following rule: 

(A uAuffO is (A 2 ;A 2 ;if 2 ) 

(AuJfi) is (A 2 -,K 2 ) 
is is 

(A i; Lx) is (A 2 ;L 2 ) 

(Ai;Ai;Li) is (A 2 \A 2 ‘,Ij 2 ) 
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Lemma 5.3.4 

//( Ai;Li) is (A 2 ;L 2 ), (Aj; K \) is (A i; L x ), and (A 2 ;A 2 ) is (A 2 ;L 2 ) then 
(A y,K x <L x ) is (A 2 ;A 2 <L 2 ). 

Proof: By induction on the sizes of kinds. 

Assume (A];Li) is (A 2 ;L 2 ), (Ai;Ai) is (Ai;Lj), and (A 2 ; A 2 ) is (A 2 ;L 2 ). 

Let (AJ,A£) 2 (Ai, A 2 ) and assume (A': .4]: A|) is (Al> ;A 2 ; A 2 ). Then (Aj; Aj) is (A 2 ;A 2 ). 

• Case Ai = A 2 = Li = L 2 = T. (Ai; Ai;T) is (A' 2 ; A 2 ;T) by assumption. 

• Case K\ = S(B x ), A 2 = S(B 2 ), L, - S(C'i), and L 2 = S(C 2 ). 

1. By weakening, Aj > B\ :: T <=> A) 0 C\ :: T 

2. and Af, 0 B 2 :: T A^ 0 C 2 :: T 

3. and A[ > C\ :: A' 2 > C 2 :: T. 

4. Similarly, Aj > A\ :: T Aj > B\ :: T, 

5. A' 2 > A 2 :: T«Aj> B 2 :: T, and 

6. and Aj > A\ :: T A^ > A 2 :: T. 

7. Thus by transitivity, A'j > A\ :: T ^ Aj > C\ :: T 

8. and A 2 > A 2 :: T <*=> A' 2 > C 2 :: T. 

9. Therefore (Aj; A\ ; S(C'i)) valid, 

10. (A 2 ; A 2 ; S(C 2 )) valid, 

11. and (A';A 1 ;S(C 1 )) is (A' 2 ; A 2 ; S(C 2 )). 

• Case: K x = n a::K[.K'{, K 2 = IIa::A'.A", L, = nanL'.L'/, and L 2 = n a::L' 2 .L”. 

1. Let (A", A'') D (AjjA^) and assume (A'{; By L[) is (A 2 ;B 2 ;L 2 ). 

2. By monotonicity, (A"; A{) is (A 2 ;K 2 ), 

3. (Ais (A 2 ;L 2 ), 

4. (A"; A() is (A?;Li), and 

5. (A 2 ;A 2 ) i s (^2>■^' 2 )' 

6. By reflexivity and the inductive hypothesis, (A'/; L\ < K[) is (A 2 ; L' 2 < K 2 ), 

(A?;Li < a;) is (A'/;Li < Li), and (A 2 ; L 2 < K! 2 ) is (A";L' 2 < L 2 ). 

7. Thus (A";B i; A') is (A 2 ;B 2 ; A 2 ). 

8. Since (A'/;B i; Li) is {A'{; By, L\) and (A";B 2 ;L' 2 ) is (A 2 ;B 2 ;L 2 ), 

9. we have (A'/jB^AJ) is (A"; Bj; Li), 

10. and (A";B 2 ;Ai) is (A";B 2 ;L' 2 ). 

11. So, (Ai'j^Bu^/alAy) is (A"; T 2 B 2 ; [B 2 /«]A"), 

12. (A"; [Bi/a]Aj') is (A'/; [Bj/ajL"), 

13. (A"; [B x /a]L") is (A 2 ; [B 2 /«]L 2 ), 

14. and (A"; [B 2 /o]A") is (A"; [B 2 /o]L"). 

15. By the inductive hypothesis. 

(A"; [B\/a]K" < [.B x /a]L'{) is (A"; [B 2 /«] K$ < [B 2 /«]L"). 
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16. Thus (A"; A x B x \ [B x /a]L") is (A"; A 2 S 2 ; [B 2 /a]L"). 

17. Similar arguments show that (Aj; A x ;Ha::L' x .L x ) valid and (A 2 ; do; IIo:: If-Lf) "valid. 

18. Therefore (A^; A x -,Hot:\L' x .L x ) is (A 2 ; A 2 ; Ila::L 2 .L 2 ). 

• Case: K x = S a::K' x .K'{, K 2 = Za::K' 2 .K'f, L x = S or.:L\.L" l , and L 2 = S a::L' 2 .L%. 

1. (A'; 71 k x A x -K[) is (A' 2 ;7 t x A 2 -,K' 2 ). 

2. Also, (A ’ i; K[) is (A';K'), 

3. (Aj; L ' x ) is (A^;L' 2 ), 

4. (A;;K0 is (A';L'), 

5. and (A' 2 ,K 2 ) is (A(,;£!,). 

6. By the inductive hypothesis, (A' : ; < I/j) is (A 2 ; K 2 < L' 2 ), 

7. so (A^; 7 TiAi; Lj) is (A 2 ; 7 TiA 2 ; L 2 ). 

8. By similar considerations, (A^; [ 717 Ai/aJI’C") is (Aj; [TriAi/a]!//), 

9. (A 2 ; [ 772 ^ 2 / 0 :] AT") is (A' 2 ;[n x A 2 /a]L x ), 

10. and (A^; [7riAi/a]L") is (A 2 ; [7riA 2 /a].L 2 )- 

11. By the inductive hypothesis, 

(A[-, [Tx x A x ja\K'{ < [TTiAi/a]L'() is (A' 2 -,[n:iA 2 /a\K% <[w 1 A 2 /a\LZ). 

12. Since (A\-,tt 2 Ai-, [7riAi/a]Ar") is (A 2 ;7r 2 A 2 ; [K X A 2 la\K 2 ), 

13. we have (A' x ; ti 2 A x \ [iriAi/a]L") is (A 2 ; 7r 2 A 2 ; [7riA2/a]L 2 ). 

14. Therefore (A' x ; Ay, T,a::L' x .L") is (A 2 ; A 2 ; Ea::L 2 .L 2 ). 

■ 

Symmetry is straightforward and exactly analogous to the symmetry properties of the algorith¬ 
mic relations. 

Lemma 5.3.5 (Symmetry) 

1. If (A^-Ki) is (A 2 ;K 2 ) then(A 2 ;K 2 ) is (A X] K X ) 

2. If (A X -,A X -,K X ) is (A 2 ; A 2 ; K 2 ) then (A 2 ; A 2 ; K 2 ) is (A x ; A x ; K x ). 

3. If ( Ai; 7 x;Ti) is (A 2 ; 7 2 ;r 2 ) then (A 2 ; 7 2 ;r 2 ) is (Ai; 7 i;Ti). 

Proof: Parts 1 and 2 are proved simultaneously by induction on the size of kinds. Part 3 then 
follows directly. 

1. Assume (Ai;ATi) is (A 2 ; K 2 ). Then (Ai;jKi) valid and (A 2 ]K 2 ) valid. 

• Case: K x = K 2 = T. Trivial. 

• Case: K x = S(Aj), K 2 = S(A 2 ). 

(a) (A i; A i; T) is (A 2 ;A 2 ;T). 

(b) Inductively by part 2, (A 2 ;A 2 ;T) is (A^A^T). 

(c) Therefore (A 2 ; S(A 2 )) is (Ai;S(Ai)). 

• Case: K x = Ua::K' x .K'f and K 2 = II a::K' 2 .K!f. 

(a) (A X -K[) is (A 2 ;^)by (A X] K X ) is (A 2 ;K 2 ), 
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(b) Inductively, (A 2 ; K 2 ) is (Aj;/f{). 

(c) Let Aj D A] and A 2 D A 2 and assume (A 2 :A 2 ;K 2 ) is (A\\A\\K[). 

(d) Inductively by part 2, (A,; A \; K \) is (A 2 ; A 2 ; K! 2 ). 

(e) By (A 1 :K l ) is (A 2 ; K 2 ) again, (A' l5 [Aj/«]tf") is (A ’ 2 ;[A 2 /a]K$) 

(f) By the inductive hypothesis again, (A 2 ; \A 2 /n}K 2 ) is (A\\[A\/ a]K"). 

(g) Therefore, (A 2 ;II a::K' 2 .K!f) is (A]; no::#;.#")- 

• Case: K\ = E a::K[.K" and K 2 = E a::K 2 .K 2 . Same proof as for II types. 

2. Assume (Ai; Aj -,K\) is (A 2 :A 2 :K 2 ). Then (Ai; K]) is (A 2 \K 2 ), (Ai; A\\K\) valid, and 
(A 2 ; A 2 ; K 2 ) valid. 

By part 1, (A 2 ; K 2 ) is (A\;K\). 

• Case K\ — K 2 — T. 

(a) Aj t> Aj :: K\ -O A 2 t> A 2 :: A 2 

(b) By Lemma 5.2.1, A 2 > A 2 :: K 2 «=> Aj > A\ :: K\. 

(c) Therefore (A 2 ;A 2 ;T) is (Aj;Aj;T). 

• Case Ki = S(B L ) and K 2 = S(B 2 ). 

(a) (Aj; Aj; T) is (A 2 ;A 2 ;T). 

(b) By the inductive hypothesis, (A 2 ;A 2 ;T) is (Aj;Aj;T). 

(c) Therefore (A 2 ;A 2 ;S(£j)) is (Aj; A } ; S(B 2 )). 

• Case Kx = Ua::K[.K[’ and K 2 = n a::K' 2 .K'f. 

(a) Let A 2 A A 2 and Aj A Aj and assume (A' 2 ;B 2 : K 2 ) is (Aj; B \; K[). 

(b) By the inductive hypothesis, (A^; B\ ; K[) is (A 2 ; B 2 ; K 2 ). 

(c) Thus (A'; Aj 5,; [B\/a\K") is (A 2 ; A 2 B 2 ; [B 2 /a}K "). 

(d) By the inductive hypothesis, (A 2 : A 2 B 2 ;[B 2 /a]K 2 ) is (Aj; Aj J3j; [B\/a]K"). 

(e) Therefore (A 2 ; A 2 ; Yla:-.K' 2 .K!f) is (A } ; Ai;Ua::K[.K”). 

• Case Ki = E av.K[.K'{ and K 2 = E o:-.K' 2 .K!f. 

(a) Then (Ai;7rjAi;K() is (A 2 ; ttjA 2 ; K' 2 ) 

(b) and (Aj; 7 t 2 Aj; [ttj Ai/a]K'{) is (A 2 ; 7t 2 A 2 ; [7Tj A 2 /n]K'<f ). 

(c) By the inductive hypothesis, (A 2 ; 7 TjA 2 ; K 2 ) is (Aj;7rjAj; K[) 

(d) and (A 2 ; 7r 2 A 2 ; [7 Tj A 2 /q]K 2 ) is (Aj; 7 t 2 Ai ; [7Tj Aj/ajAT/)- 

(e) Therefore (A 2 ;A 2 ;Ea::K 2 .K 2 ) is (Aj;A 1 ;Eq::A'[.A' 1 "). 


In contrast, the logical relation cannot be easily shown to obey the same transitivity property 
as the algorithmic relations; it does hold at the base kind but does not lift to function kinds. I 
therefore prove a slightly weaker property, which is nevertheless what we need for the remainder 
of the proof. The key difference is that the transitivity property for the algorithm involves three 
contexts/worlds whereas the following lemma only involves two. 

Lemma 5.3.6 (Transitivity) 

1. If (Aj; K\) is (Aj;Lj) and (Aj;Lj) is (A 2 ;K 2 ) then (AjjATj) is (A 2 \K 2 ). 


94 



2. If(A x ;AyK x ) is (Ai;£i;Li) and (Af, By, L{) is (A 2 ;A 2 ;K 2 ) then 
(A v,Ai;Ki) is (A 2 ;A 2 -,K 2 ). 

Proof: 

1. Assume (Ai;Xi) is (Ai; L x ) and (Ai; L x ) is (A 2 ; K 2 ). First, (Ai; K x ) valid and 
(A 2 ;Ar 2 ) valid. 

• Case: K x = L x — K 2 = T. 

(Ai;T) is (A 2 ; T) always. 

• Case: K x = S(Aj), L x = S^), and K 2 = S(A 2 ). 

(a) Then A x t> A x :: T <=> Ai t> B x :: T 

(b) and Ai > B x :: T A 2 > A 2 :: T. 

(c) By Lemma 5.2.1, Ai > A\ :: T A 2 > A 2 :: T. 

(d) Therefore (Ai; S(Ai)) is (A 2 ;S(A 2 )). 

• Case: K x = Ua::K[.K'{, L x = B.a::L' x .L x , and K 2 = Ua::K' 2 .K!f. 

(a) (A yK[) is (A i; L[) and (A i; Li) is (A 2 ;A'). 

(b) By induction, (Ai; K[) is (A 2 ;K 2 ). 

(c) Let (Aj, Ag) 2 (Ai,A 2 ) 

(d) and assume (A' x ; Ay, K[) is (A 2 ; A 2 ; K 2 ). 

(e) By Lemma 5.3.3, (A y,K[) is (A i; iC'). 

(f) By monotonicity and Lemma 5.3.4, (A'y,K[ < K[) is (A'y,K[ < L \). 

(g) Since (A'y,AyK[) is (A^;^), 

(h) we have (A'; A \: K[). is (A'y, Ay L[). 

(i) Thus {A'y[A x / a]K'() is (A^; [A x /a]L x ). 

(j) Similarly, (A 'yK[ < L[) is {A' 2 ,K 2 < K' 2 ). 

(k) Then (A'y,AyL[) is (A ' 2 ,A 2 -K' 2 ). 

(l) So, (A ' x ,[A x /a]L'{) is (A ' 2 -[A 2 /a)K!i). 

(m) By induction, (A' x ; [A x /oi\K'{) is {A' 2 ,[A 2 /a\K 2 ). 

(n) Therefore {AyHot::K' x .K x ) is (A 2 ; Yia::K' 2 .K'f). 

• Case: K x = E a::K' v K'{, L x = E a::L[.L'{, and K 2 = E a::K' 2 .K'f. 

Same proof as for II types. 

2. Assume (AijAjjiCi) is (AyBy,L x ) and (Ai;J5i;Li) is (A 2 ;A 2 ;if 2 ). Then 

(Ai; AyKi) valid, (A 2 ;A 2 ;iL 2 )valid, (Ai; K x ) is (Ai;Zq), and (Ai;Li) is (A 2 ;K 2 ). By 
parti, (Ai;ATi) is (A 2 ;K 2 ). 

• Case: K x = L x = K 2 = T. 

(a) Aj > A x :: T A x > B\ :: T 

(b) and Ai > B x :: T A 2 > A x :: T. 

(c) By Lemma 5.2.1, Ai > A x :: T <=> A 2 > A 2 :: T. 

(d) Therefore (Ai;Ai;T) is (A 2 ;A 2 ;T). 

• Case: K x = S(Ai), L x = S (B[), and K 2 = S(A' 2 ). 
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(a) (A i; A i; T) is (A i; B,;T) 

(b) and (Ai;B i; T) is (A 2 ;A 2 ;T). 

(c) By the inductive hypothesis, (Ai;Aj;T) is (A 2 :A 2 ;T). 

(d) Therefore (A i; A i; S(A \)) is (A 2 ; A 2 ; S(A')). 

• Case: K } = L\ = Ua::L\.L", and K 2 = Uay.K^KlJ. 

(a) Let (A',A')D(A 1 ,A 2 ) 

(b) and assume (Aj; A\\ K[) is (A' 2 \A 2 :K 2 ). 

(c) Then by monotonicity (Aj; K[) is (Aj; L\) and (Aj; L\) is (A 2 ;K 2 ). 

(d) By Lemma 5.3.4, (A \-,K[ < K[) is (A \;K[ < L[). 

(e) By Lemma 5.3.3, (Ais (A\\A\\K[), 

(f) so (A \;A\;K[) is (A\: A\: L[). 

(g) Thus (A \-A x A\-[A\l<y}K';) is (A\\B\ A\-,[A\/oi\L"). 

(h) Similarly, (A*; K[ < L \) is (A ' 2 , K' 2 < K' 2 ). 

(i) so (A \:A\-L\) is {A' 2 \ A' 2 , K 2 ). 

(j) Thus, (A',; Bi A[;iA[/a]L”) is (A' 2 ;A 2 A' 2 \[A' 2 /n]K'f). 

(k) By the inductive hypothesis, (Aj; A\ A\\ [A\/ai\K") is {A' 2 , A 2 A' 2 ,\A' 2 /n]K 2 ). 

(l) Therefore, (A x ; A x -Ua:-.K[.K , {) is (A 2 ;A 2 ; Ha::K! 2 .K!f). 

• Case: K x = Ea::K[.K'f, L\ = Y,a::L\.L", and K 2 = Za::K! 2 .K%. 

(a) (A mAuK'J is (A\:ir\B\: L\) 

(b) and (Ai; ttiB\ ; L\) is (A 2 ; 7 TiA 2 ; K' 2 ). 

(c) By the inductive hypothesis. (A\-,tt\A\-, K\) is (A 2 ; 7T] A 2 ; K 2 ). 

(d) Similarly, (Ai; 7r 2 Aj; [it\A\/ a\K") is (A]; 7 t 2 B] ; [7T] B] /ot]L'() 

(e) and (Ai;7t 2 Bi; /o]L'{) is (A 2 ; 7 t 2 A 2 : [ni A 2 /a}K"). 

(f) By the inductive hypothesis, (Ai;7t 2 Ai; [K\A\la]K”) is (A- 2 ; 7 t 2 A 2 ; {^\A 2 /a}K 2 ). 

(g) Therefore, (A x ; A^ Y,a::K[.K'{) is (A 2 ; A 2 :Sar.K^.K^). 


I 

Because of this restricted formulation, I cannot use symmetry and transitivity to derive prop¬ 
erties such as “if (AijATi) is (A 2 :K 2 ) then (A];A'i) is (Aj: K\ )”. An important purpose of 
the validity predicates is to make sure that this property does in fact hold (by building it into the 
definition of the equivalence logical relations). 


Definition 5.3.7 

The judgment T > A\ ~ A 2 holds if and only if A\ and A 2 have a common weak head reduct under 
typing context, T; that is, if and only if there exists B such that T i> A] B and T > A 2 B. 

Note that this definition does not require that either constructor have a weak head normal form, 
though if either constructor has one then they share the same one. The following lemma then shows 
that logical term equivalence and validity are preserved under weak head expansion and reduction. 

Lemma 5.3.8 (Weak Head Closure) 

1. IfTt>A-^B then T t> £[A] £[B] 

2. IfT>Ai ~ A 2 then T > £[A{\ ~ £[A 2 \. 
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3. If (A; A\ K ) valid and A > A' ~ A, then (A; A'\ K) valid. 

4■ If (Ai; A\\ K\) is (A 2 ; A 2 ; Kf), Ai > A\ ~ A\, and A 2 > A' 2 ^ A 2 then 
(An^';^) is (A 2 ;^;^ 2 ). 

Proof: 

1. Obvious by definition of T > A B. 

2. By repeated application of part 1. 

3. Proved simultaneously with the following part by induction on the size of K. Assume 
(A; A; K) valid and A > A' ~ A. Note that (A; K) valid. 

• Case: K — T. 

(a) A > A :: T A > A :: T. 

(b) By the definition of the algorithm and determinacy of weak head reduction, 
At> A 1 :: T A> A' :: T. 

(c) Therefore (A; A'; T) valid. 

• Case: K — S(B) 

(a) Then Ai>A::T<t4>A>B::T 

(b) so by the definition of the algorithm and determinacy of weak head reduction 
A > A' :: T A > B :: T 

(c) which yields (A; A'\ S (B)) valid 

• Case: K = Ua::K'.K ". 

(a) Let A', A" D A and assume that (A';Bi;K') is (A "\B 2 \K 1 ). 

(b) Then (A'; AB^B^a]K") is (A"; AB 2 \ [B 2 /a]K"), 

(c) By part 2 and an obvious context weakening property, A' t> A B\ ~ A' B\ 

(d) and A''>AB 2 ~ A'B 2 . 

(e) By the inductive hypothesis, (A'; A! B\\[B\/a]K") is (A"; A' f? 2 ; [B 2 Io\K"). 

(f) Therefore, (A; A'\Uar.K'.K") valid. 

• Case: K = S ar.K'.K". 

(a) Then (A; 7 TiA; K') valid 

(b) and by part 2, A > niA' ~ 7 TiA. 

(c) By the inductive hypothesis, (Ai; K[) valid. 

(d) By reflexivity (Ai^iA'j; is (A\\'K\A , l \K[). 

(e) and inductively by part 4, (A;7 Ti A\K') is ( A;niA'-,K'). 

(f) Similarly, (Ai;7t 2 A; [niA/o^K") valid, 

(g) and A > 7r 2 A' ~ 7 r 2 A, 

(h) so by the inductive hypothesis again, (A; 7 r 2 A'; [k\A/ a]K") valid. 

(i) But (A; [wiA/o^K") is (A; [kiA'/ a\K"), 

(j) so by reflexivity and Lemma 5.3.4, 

(A; [tt x A/a)K" < [tti A'/a]K") is (A; [tti A/a\K" < [^A'/a}K"). 

(k) so (A; 7 t 2 ^4'; [itiA' ja]K") valid. 

(l) Therefore, (A; A'- Y,a::K'.K") valid. 
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4. Assume {A\-,A\\K\) is (A 2 ; A 2 ; K 2 ), A] t> A\ ~ A x , and A 2 >A 2 ~ A 2 . First, note that, 
(Ai; Ai; ATj) valid, (A 2 ; A 2 ; A/ 2 ) valid, and (A 1 ; K\) is (A 2 ; K 2 ). By the argument in 
part 3, (Ai; A\ ; K\) valid and (A 2 ; A 2 ; K 2 ) valid. 

• Case: K\ = K 2 = T. 

(a) A] c> Aj :: T ^ A 2 c> A 2 :: T. 

(b) By the definition of the algorithm, Ai > A\ :: T «=> A 2 > A 2 :: T. 

(c) Therefore (AuA'^T) is (A 2 ;AJ>;T). 

• Case: K x = S(B X ) and K 2 = S (B 2 ). 

(a) Then Ai > A\ :: T A 2 t> A 2 •• T 

(b) so A] > Aj :: T A 2 > A 2 :: T 

(c) which yields (A x ; A[; S{B X )) is (A 2 ; Af 2 ; S{B 2 )). 

• Case: K x = and K 2 = Ua::K^.K!J. 

(a) Let Aj D A] and A 2 D A 2 and assume that (A\ \ B\ \ K[) is (A 2 ; B 2 ; if 2 ). 

(b) Then (A A x By,[B x / a]K'{) is (A 2 ; A 2 B 2 \ [B 2 /a\K"), 

(c) By part 2 and an obvious weakening property, A\ B\ ~ A\ B\ 

(d) and A 2 t> A 2 B 2 ~ A 2 B 2 . 

(e) By the inductive hypothesis (A\; A\ B\\[B x /a]K'l) is (A 2 ; A 2 B 2 ; [B 2 /a]K! 2 ). 

(f) Therefore, (Aj; A\; Ykr.-.K[.K'{) is (A 2 ; A' 2 ; Uar.K^.K^). 

• Case: K\ = Xa::K[.K[' and K 2 = E a::K' 2 .K%. 

(a) Then (Ai;ttiAi; is (A 2 ;7 t x A 2 \K' 2 ), 

(b) (Autti A i; K[) is (A x ;7r x A,; K[), 

(c) (A 2 ; 7r, A 2 ; Ff 2 ) is (A 2 ; tt, A 2 ; K! 2 ), 

(d) and by part 2, A] > ttjAj ~ ttiAj, 

(e) and A 2 > 7 TiA 2 ~ 7TiA 2 . 

(f) By the inductive hypothesis, (A\\'K\A\\K[) is (A 2 ; 7TiA 2 ; Ff 2 ), 

(g) (A,;ti A V ,K[) is (A 1 ;n l A' 1 -,K[), 

(h) and (A 2 ; 7 TiA 2 ; K' 2 ) is (A 2 ; 7r x A 2 ; AT 2 ). 

(i) Similarly, (Ai;7t 2 Ai; [^Ai/ajFfJ') is (A 2 ; 7r 2 A 2 ; [tti A 2 /a]K'{), 

(j) A] >7T 2 A , 1 ~ 7T 2 Ai, 

(k) and A 2 c> 7 r 2 A 2 ~ 7 r 2 A 2 . 

(l) By the inductive hypothesis again, 

{Ai^ 2 A\‘,[^iAila]K") is (A 2 -,n 2 A , 2 ;[n 1 A 2 /<y]K%). 

(m) But (A!; AT]) is (A x ; K x ) and (A 2 ; K 2 ) is (A 2 ;AT 2 ), 

(n) so {Ai\[KxAi/a}K") is (Ai;[tti A\/a}K'{), 

(o) (A 2 ; [niA 2 /a]K%) is (A 2 ; [tti A' 2 /a]K%), 

(p) and(Ai;[7ri A\/a]K") is (A 2 ; [iriA^/ajK^ ). 

(q) By Lemma 5.3.4, 

{A x -,[-K\A\/a\K" < \ttiA\I a]K") is (A 2 ; [7T] Ai/a]K% < [mA[/a]K^). 

(r) so (A x ; 7r 2 Ai; [kiA^/ a\K”) is (A 2 ; 7r 2 A 2 ; [tt x A 2 /a]Ar 2 ). 

(s) Therefore, (Aj; A' i; Ha:-.K[.K'{) is (A 2 ; A' 2 ; Ear.K^.K^). 


98 



I 


Following all this preliminary work, I can now show that equivalence under the logical relations 
implies equivalence under the algorithm. This requires a strengthened induction hypothesis: that 
under suitable conditions variables (and more generally paths) are logically valid/equivalent. 

Lemma 5.3.9 

1. //(Au^O is {A 2 ;K 2 )thenA 1 »K 1 &A 2 >K 2 . 

2. If (Ai; A\\K\) is (A 2 ; A 2 ; K 2 ) then Ai > A\ :: K\ O A 2 > A 2 :: K 2 . 

3. If (A; K) valid, A>pf K ^ A>pf K, then (A ;p; K) valid. 

4 . If(Ai;Ki) is (A 2 ; K 2 ) and Ai >pi t Ki ^ A 2 >p 2 f K 2 then (A^pu K\) is ( A 2 -,p 2 \K 2 ). 
Proof: By simultaneous induction on the size of the kinds involved. 

For part 4, note that in all cases Ai t>pi t K\ ** Ai >pi t K\ and A 2 1> p 2 f K 2 -B- A 2 > p 2 t K 2 by 
symmetry and transitivity of the algorithm, (Aj; K\) valid, and (A 2 ; K 2 ) valid. Hence by part 3, 
(Ai;pi]Ki) valid and (A 2 ;p 2 ; K 2 ) valid. 

• Case: K = K\ = K 2 = T. 

1 . Ai>T<^ A 2 > T by the definition of the algorithm. 

2. (a) Assume (Ai; A\\ T) is (A 2 ;A 2 ;T). 

(b) By the definition of this relation, Ai > A\ :: T <(=> A 2 > A 2 :: T. 

3. (a) Assume (A; T) valid and 

(b) A>ptT-H’A>p|T. 

(c) By Lemma 5.2.2, A > p f T. 

(d) Then A > p J) p because p is a path without a definition. 

(e) so A > p :: T 4=> A > p :: T. 

(f) Therefore (A; p; T) valid. 

4. (a) Assume Ai > pi f T o A 2 > p 2 t T 

(b) and(Ai;T) is (A 2 ;T). 

(c) By Lemma 5.2.2, Ai >pi f T and A 2 >p 2 t T. 

(d) Thus Ai i>pi JJ-pi and A 2 >p 2 -IJ-P 2 - 

(e) so Ai :: T A 2 >p 2 :: T. 

(f) Therefore (Ai;pi;T) is (A 2 ;p 2 ;T). 

• Case: K = S{B), K\ = S(B X ), and K 2 = S (B 2 ). 

1 . (a) Assume (Ai; K\) is ( A 2 ;K 2 ). 

(b) Then by definition (Ai; Bi; T) is (A 2 ;B 2 ;T), 

(c) so Ai > B\ :: T A 2 t> B 2 :: T. 

(d) Therefore, Ai i> S(Bi) A 2 0 S (B 2 ). 

2. (a) Then (A i; A i; T) is (A 2 ;A 2 ;T). 

(b) Thus Ai > A\ :: T A 2 > A 2 :: T. 

(c) By the definition of the algorithm then, Ai > A\ :: S(Bi) A 2 > A 2 :: S(B 2 ) 
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3. (a) Assume (A; S(B)) valid, 

(b) and A>ptS(B) o AoptS(B). 

(c) By Lemma 5.2.2, A >p t S(S). 

(d) Then A^p^ B so At>p~ B. 

(e) By (A; S(£)) valid, A > B :: T A > B :: T. 

(f) By the definition of the algorithm, A > p :: T <=> A t> B :: T. 

(g) Therefore (A; p; S(B)) valid. 

4. (a) Assume (A]; S(f?i)) is (A 2 ; S(B 2 )), 

(b) and A] > p\ f S (B\) O A 2 > p 2 T S(Z?i). 

(c) By definition of the logical relations, A\ > B\ :: T <£> A 2 > #2 - T. 

(d) By Lemma 5.2.2, A] >pj f S(Z?i) and A 2 >p 2 t S(i? 2 ). 

(e) That is, A] >pi B\ and A 2 >p 2 '"•* -Bj. 

(f) Hence A) t> p\ :: T <=> A 2 >p 2 ■■ T. 

(g) Therefore (A 1 ;p 1 ;S(i? 1 )) is (A 2 ;p 2 ;S(£,)). 

• Case: K = Ua::K'.K", K\ = Ua::K[.K'^ and K 2 = na::^.iff. 

1 . (a) Assume (A ]; Ila:: K'{) is (A 2 ;n«::^.^). 

(b) Then (A p,K[) is (A 2 ;K' 2 ). 

(c) By the inductive hypothesis we have Ai > K[ ^ A 2 t> K 2 . 

(d) Now A], a::K[ t> a t K[ <-> A 2 , a::K! 2 > o: t K!,. 

(e) Inductively by part 4, (A \,a::K[;a;K[) is (A 2 , cr.:K 2 ; a;K 2 ). 

(f) Thus (A u ot::K[iK?) is (A 2 , a::K 2 ;K") 

(g) By the inductive hypothesis, A], a::K[ > K" <3- A 2 , or.:K 2 > K". 

(h) Therefore A] > Tlav.K[.K'{ A 2 > n av.K^.K'J,. 

2. (a) Assume (A a ;Ai; Ua::K[. A'") is (A 2 ;A 2 ; Yla::K' 2 .K%). 

(b) Then(A i; n or.:K[.K'{) is (A 2; n av.K' 2 .K'±) 

(c) so as above, inductively by part 4 we have (Ai, a::K[\a: K[) is (A 2 , n::K 2 ;a; K 2 ). 

(d) Then (A u ay.K[-A x a-K'() is (A 2 , a::K' 2 \ A 2 o; K 2 ). 

(e) By the inductive hypothesis again, Aj, a::K[ > A] a :: K" A 2 , a::K 2 > A 2 a :: K 2 . 

(f) Therefore Ai > A x :: Ha:.K[.K'{ & A 2 > A 2 :: n 

3. (a) Assume (A; K) valid 

(b) and At> p^ K o A t> p t K. 

(c) Let A', A" D A 

(d) and assume (A ';B';K') is (A";B";K'). 

(e) Inductively by part 2, A' > B' :: K' <=> A" > B" :: K'. 

(f) Thus using Weakening, A' »p£'t [B'/a]K" ++ A" > p B" t [B"/a]K". 

(g) By (A; X) valid, (A';[B'/a\K") is (A"; [B"/a]K"). 

(h) Inductively by part 4, (A';pB’-,[B'/a]K") is (A "■pB"-[B"/a)K"). 

(i) Therefore (A;p; Ua::K'.K") valid. 

4. (a) Assume (Ai;n a::K[.K'{) is (A 2 ;II a::K' 2 .K'{), 

(b) and A x > Pl t Tla::K[.K” o A 2 >p 2 t n a::K' 2 .K%. 
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(c) Let A, D Ai and An D A 2 and assume that (A',; B\ ; K \) is (A' 9 ;B 2 ;Kn). 

(d) Then (A l l -,[B l /a\K^) is (A'; [B 2 /a\K^). 

(e) Inductively by part 2, Aj > B\ :: K[ <=$> A 2 > B 2 :: K 2 , 

(f) and by Weakening, A x >pi t II a::K[.K" ++ A' 2 p 2 t II a::K 2 .K 2 , 

(g) so we have A\ >p\ B\ t [Bi/a]K" o A 2 >p 2 B 2 t [B 2 /a]K 2 . 

(h) By the inductive hypothesis, (A[;p\ Bp, [Bi/a]K") is (A 2 ;p 2 B 2 \ [B 2 /a]K 2 ). 

(i) Therefore {A x \pi\Bav.K[.K'{) is (A 2 ;p 2 ; Uay.K^.K^). 

• Case: K = S ar.K'.K", K x = E ct:-.K[.K'{ and K 2 = E a:-.K' 2 .K!{. 

1. The corresponding argument for the II case also applies here. 

2 . (a) Assume (A\; Ai;T,a::K[.K") is (A 2 ; A 2 ; Ear.K^). 

(b) Then (A^TnAn;^) is (A r^A^K'J. 

(c) and (Ai;7t 2 Ai; [niAi/a]K”) is (A 2 ;7r 2 A 2 ; [ttiA 2 /o\K 2 ). 

(d) By the inductive hypothesis, Ai > n\A\ :: K[ A 2 $> , k\A 2 :: K' 2 

(e) and Ai o ~k 2 A\ :: [KiA\ld\K" ^ A 2 > 7r 2 A 2 :: [niA 2 /a]K"■ 

(f) Therefore Ax > Ai :: E or.:K[.K'{ A 2 > A 2 :: T,a::K 2 .K 2 . 

3. (a) Assume (A; K) valid, 

(b) and A >p^K A > p t AT. 

(c) By definition of the algorithm, A > n^p f K' A > tt\P f K' 

(d) and A > 7r 2 p t [nip/a\K" <-> A 0 ir 2 p f [iri P /a\K". 

(e) By the induction hypothesis, (A; 7Tip; K') valid. 

(f) By Lemma 5.3.3, (A;7 Ti p;K') is (A;ni P ;K'). 

(g) By (A; K) valid, (A; [ixip/a]K") is (A; [tti p/a]K"). 

(h) Thus (A; [:Ki P /a]K") valid. 

(i) By the induction hypothesis again, ( A-,n 2 p ; [nip/a]K") valid. 

(j) Therefore, (A;p; T,a::K'.K") valid. 

4. (a) Assume (Ai;E a::K[.K”) is (A 2 ; E ar.K^.K^), 

(b) and Ai >pi f E a::K[.K'{ A 2 >p 2 t E a::K' 2 .K%. 

(c) Then A x > 7Tipi f K[ A 2 > nip 2 f K 2 

(d) and Ai > 7r 2 pi f [^iP\/oi\K” o A 2 > ix 2 p 2 f [rcip 2 /a]K 2 . 

(e) The inductive hypothesis applies, yielding (Ai; 7Tipi; is (A 2 ;irip 2 -, K 2 ) 

(f) and (Aj; 7T 2 pi; [kiPi/ ot\K'() is (A 2 ;7r 2 p 2 ; [nip 2 /a]K 2 ). 

(g) Therefore (Aupu Ea::K[.K”) is (A 2 ;p 2 ; Ea::i^J^')- 

I 

Finally we come to the Fundamental Theorem of Logical Relations, which relates provable equiv¬ 
alence of two constructors to the logical relations. The statement of the theorem is strengthened 
to allow related substitutions, in order for the induction to go through. 

Theorem 5.3.10 (Fundamental Theorem) 

1. IfThK and (A x ; 71 ; T) is (A 2 ; 7 2 ;r) then (Ai^iK) is (A 2 ; 72 Ar). 
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2. If F b K\ < K ‘2 and (Aj ; 71 ; T) is (A 2 ; 72 ;T) then 

(A] ; 71 /C 1 < 7 ^ 2 ) is (A 2 ; 72^1 < 72 -^ 2 ), (Aj^jKj) is (A 2 ; 72 K]), and 
(Ai;7]/C 2 ) is (A 2 \j 2 K 2 ). 

5. // T b 1C = K 2 and (Ai; 7 i;T) is (A 2 ; 7 2 ;r) then (Ay,^yK]) is (A 2 ;y 2 K 2 ), 

(Ai; 7 iXi) is (A 2 ; 72 K 1 ), and (A) ;7iK 2 ) is (A 2 \y) 2 K 2 ). 

C //rbAcK and (Aj; 71 ; T) is (A 2 ; 7 2 ;r) then (AyyiA-.^K) is (A 2 ; 72^4; 72 K). 

5. IfV\-Ai = A 2 ::K and (AyjyT) is (A 2 ; 72 ;T) then (A 1 ; 71^1571 if) is (A 2 ; 7 2 2 l:i 572 ^), 

(Ai^iAi^iX) is (A 2 ; 722 I 2 ; 72-^0> ««<* (Ai^A^i-fiT) is (A 2 ; 72 ^ 2 ; 72*0- 

Proof: By simultaneous induction on the hypothesized derivation. 

Note that in all cases, (Ai; 7 i;T) is (A]; 7 i;T) and(A 2 ; 7 2 ;r) is (A 2 ; 7 2 ;r). 

Kind Well-formedness Rules: ThK. 

• Case: Rule 2.7. 

1. 71 T = 72 T = T. 

2. (A i; T) is (A 2 ;T). 

• Case: Rule 2 . 8 . 

1. By the inductive hypothesis, (Ai; 7 jj 4 ;T) is (A 2 ; 7 2 2 l;T). 

2. Therefore (Ai;S( 7 l 2 l)) is (A 2 ; SfoA)). 

• Case: Rule 2.9. 

1. By Proposition 3.1.1, there is a strict subderivation T,a::K' b ok 

2 . and by inversion a strict subderivation P b K'. 

3. By the inductive hypothesis, (Aj; 71 /C) is (A 2 ;y 2 K'). 

4. Let Aj D Ai and A 2 D A 2 and assume that (Aj; Ay,^\K') is (A 2 ; A 2 -,y 2 K'). 

5. Then by monotonicity (A^; 7 ] T, «::K') is (A 2 ; 7 2 [o-t->j 4 2 ]; T, a::K'). 

6 . By the inductive hypothesis, (Aj; ( 7 ] [oe-^A\])K") is (A 2 ; (y 2 [n^A 2 ))K"). 

7. That is, (A' x ; [>li/a](( 7 i[ai-^a])K")) is (A 2 ; [ J 4 2 /«]((72[o^«])K")). 

8 . Therefore, (Ai; ji(Ua::K'.K")) is (A 2 ;7 2 (na::lC.lC'))- 

• Case: Rule 2.10. Just like previous case. 

Subkinding Rules: T b K\ < K 2 . In all cases, the proofs that (Ai; 7 j 1 C) is (A 2 -,y 2 K\) and 
(A 1 : 71 K )) is (A 2 ; 7 2 K 2 ) follow essentially as in the proofs for the well-formedness rules. 

Let Aj D Ai and A 2 D A 2 and assume (A j; Ri; 71 1C) is (A 2 ; By, 72 IC). 

• Case: Rule 2.11. K\ — S(.A) and K 2 = T. By monotonicity and the definitions of the logical 
relations. 

• Case: Rule 2 . 12 . K\ = S(Ai) and K 2 = S^), with T b A\ = A 2 :: T. 

1. By the inductive hypothesis we have (Aj; ^\A 2 ; T) is (A 2 ; 7 2 A 2 ;T), 
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2. (A'; 7 iA i; T) is (A'; 7 l A 2 ;T), 

3. and (A' 2 ; 7 2 Ai;T) is (Al>; 72 A 2 ; T). 

4. Thus(A';S( 7 l A 2 )) is (A'; S( 72 A 2 )), 

5. (A' 1 ;S( 7 l A 1 )) is (A';S( 7 iA 2 )), 

6 . and (A^; S( 7 2 Ai)) is (A' 2 ; S( 7 2 A 2 )). 

7. so by Lemma 5.3.4, (A' 1 ;S( 7 iAi) < S( 7 iA 2 )) is (A 2 ; S( 72 Ai) < S( 7 2 A 2 )). 

8 . Therefore (A' x ;Ri;S( 7 iA 2 )) is (A' 2 ;R 2 ;S( 7 2 A 2 )). 

• Case: Rule 2.13. K\ = K 2 = T. 

Trivial, since 71 T = 72 T = T and (Ai; T) is (A 2 ; T). 

• Case: Rule 2.14. K x = Ua::K[.K'{ and K 2 = Ua-.-.K^K^ with T h K' 2 < K[ and 

r,a::X' b K" < K". 

1 . Let A" D A' and A 2 D A 2 and assume (A";is (A 2 ; R 2 ;72 A 2 ). 

2. By the inductive hypothesis, (A^; 7 i K’ 2 < 71 K[) is (A 2 ; 7 2 if 2 < 72 ^ 1 )- 

3. so (A'/; RI 5 71^0 is (A^B' 2 -, l2 K[) 

4. and (ARj R'; ( 7 l [aH->R'])K") is (A"; R 2 R'; ( 72 [m->R'])K(')- 

5. By monotonicity, (A'/; 7 i[ai-tRi]; T, auK^) is (A 2 ; 7 2 [ai->-R 2 ]; T, a::K' 2 ). 

6 . By the inductive hypothesis again, 

(A";( 7 l [a^R'])K" < ( 7 l [a^])K") is (A"; ( 72 [a^R'])Kf < ( 72 [a^R'])K"), 

7. so(A";R 1 R';( 7 i[a^R'])^) is (A 2 ;R 2 R 2 ; ( 72 [ai-»R 2 ])JK' 2 ). 

8 . Thus (AijR^Ti^a::^.^)) * (A';R 2 ; 7 2 (na::K'.K")). 

• Case: Rule 2.15. K\ = T,a::K[.Kj and K 2 — S awK^.K'^ with T h K[ < X 2 and 
T, a::K{ h if" < K%. 

1. By the definitions of the logical relations, (A' : ; 7 TiRi; 71 ^) is (A 2 ; 7 TiB 2 ;72 KJ). 

2. By the inductive hypothesis, < 71 K 2 ) is (A 2 ; 7 2 K[ < 72 i^ 2 ). 

3. Thus (AijTrxB^il^) is (A , 2 ; 7 r 1 R 2 ; 7 2 RT 2 ). 

4. Now (A^^ifai-^TriRi]; T, a::RT() is (A 2 ; 7 2 [ai->- 7 riR 2 ]; T,a::^) 

5. so by the inductive hypothesis, (A[; < (71 [a^niBi^K”) is 

(A , 2 ;( 7 2 [at-> 7 riR 2 ])i ; ff < (7 2 [at-47riR 2 ])K2). 

6 . Since (A'^^Ri; (71 [ai-> 7 riRi])iff) is (A 2 ; 7 r 2 B 2 ; (7 2 [an-*7riR 2 ]).K['), 

7. (A' 1 ; 7 r 2 Ri;( 7 i[o:i-t 7 riRi])R: 2 ) is (A , 2 ;7r 2 R 2 ; ( 72 ( 0^1 R 2 ])K^)- 

8 . Therefore, (A^Ri^Ea::^..*^')) is (A' 2 ; R 2 ; 7 2 (Ea::i^.K£)). 

Kind Equivalence Rules: V h K\ = K’ 2 . 

It suffices to prove that if T h K\ = K 2 and (Ai; 7 i;T) is (A 2 ; 72 ; T) then 
(Ai; 7 iKi) is (A 2 ; 72 K 2 ), because we can apply this to get (A 2 ; 72 K 1 ) is (A 2 ; 72 K 2 ), so 
(Ai; 71 K \) is (A 2 ; 7 2 Ki) follows by symmetry and transitivity. A similar argument yields 
(Ai; 7 iK 2 ) is {A 2 \^ 2 K 2 ). 

In all cases, the proofs that (Ai ;71 Ki) is (A 2 ; 7 2 Ki) and (Ai; 7 xK 2 ) is (A 2 ; 72 K 2 ) follow 
essentially as in the proofs for the well-formedness rules. 
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• Case: Rule 2.16. K\ = if 2 = T. (Aj: T) is (A 2 ; T) by the definition of the logical relation. 

• Case: Rule 2.17. if x = S(A X ) and if 2 = S(A 2 ) with r h A x = A 2 :: T. 

1 . By the inductive hypothesis, (Ai; 7 iA];T) is (A 2 ; 7 2 A 2 ; T). 

2. Therefore, (A 1 ;S( 7l ^ 1 )) is (A 2 ; S( 72 A 2 )). 

• Case: Rule 2.18. if , = n a::K' v K[' and if 2 = n«::if'.if" with T h K' 2 < K\ and 
T, av.K' 2 h K'{ < K%. 

1. By the inductive hypothesis, (Ai;71 if|) is (A 2 ','y 2 K 2 ). 

2. Let A'j DA, and A ? 2 D A 2 

3. and assume (Aj; A];7]ifJ) is (A 2 ; A 2 \ 7 2 if 2 )- 

4. By the inductive hypothesis, (Aj; 7 i if{) is (A 2 : 7 2 if 2 ) 

5. and(A'; 72 ifO is (A'; 72 if'). 

6 . By symmetry, (A 2 ; 72 if 2 ) is (A 2 ; 7 2 ifJ), 

7. and by reflexivity (Aj; 7 iifJ) is (Aj; 7 i K\). 

8 . By Lemma 5.3.4, < 7 iifJ) is (A^ 7 2 if 2 < 7 2 ifJ), 

9. so (A,;Ai; 7l if{) is (Af 2 M 2 ; 72 if[). 

10. By monotonicity, then, (A' 1 ; 7 i[ai->j 4 i];r,a'::if{) is (A 2 ;7 2 [n!i->i4 2 ];T, a::K\). 

11. By the inductive hypothesis again, (Aj: (71 [n^>-A\})K”) is (A 2 ; ( 72 [nfH-*A 2 ])if 2 ). 

12. Therefore (Ai; 7 i (n«::if;.if}')) is (A 2 ; 7 2 (n«::if^.if£)). 

• Case: Rule 2.19. Same proof as for previous case. 

Constructor Validity Rules: T b A :: if. 

• Case: Rule 2.20. 

1. (A i; T) is (A 2 ;T) 

2. Ai > bi | T •H' A 2 > hi f T. 

3. Thus by Lemma 5.3.9 we have (A x ;6j;T) is (A 2 ;6 t ;T). 

• Case: Rule 2.21. Analogous to the previous case. 

• Case: Rule 2 . 22 . Analogous to the previous case. 

• Case: Rule 2.23. 

By the assumptions for 71 and 72 , we have (Ai; 7 icv; 7 i(r(«))) is (A 2 ; 7 2 o:; 7 2 (r(o'))). 

• Case: Rule 2.24. 

1. By Proposition 3.1.1 there is a strict subderivation T h if'. 

2 . By the inductive hypothesis, (Aj ; 7 iif') is (A 2 ; 7 2 if'). 

3. Let A'j D Ai and A 2 A A 2 and assume (Aj; i?i;7iif') is (A! 2 \B 2 \y 2 K'). 

4. Using monotonicity, (A' 1 ; 7 i[ai-».Bi];r,a::if') is (A 2 ; ') 2 [ot)-+B 2 Y, I\ a::K'). 

5. By the inductive hypothesis, 

(A' i; ( 7 l [o^Ri])i4;(7i[a->B 1 ])if ff ) is (A'; (y 2 [a^B 2 ))A: (72 \a^B 2 ])K"). 
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6. Now Ai t> (7i[o;H->i? 1 ]) J 4 ~ (71 (Xa::K',A))B\ 

7 . and A 2 > (72 [a^B 2 \)A ~ (7 2 (Aa::iT.A)).B 2 . 

8. By Lemma 5 . 3 . 8 , 

(Ai; (71 (A a::K'.A))B i; (' n [a»B 1 ])K") is (A(,; (75(A a::K'.A))B 2 ; (7 2 [a^B 2 ])K"). 

9 . Similar arguments analogous to lines 3-8 (and reflexivity) show that 
(Ai; 71 (Aa-A'LA); 71 (Ua::K'.K")) valid 

10. and (A 2 ; 7 2 (Aa::A’ , .A); 72 (Ua::K' .K")) valid. 

11 . Therefore (Ai;71 (Xav.K'.A); 7l (Yla::K'.K")) is .Ay^a-.-.K'.K n )). 

• Case: Rule 2.25 

1 . By the inductive hypothesis (Ai;7i A;ji(K'-¥K")) is (A 2 ;7 2 A;7 2 (K , ^-i ; f")) 

2 . and (A 1; 71^'; 71-^0 is (A 2 ; 7 2 A'; 7 2 A''). 

3 . Therefore, (Ai;7i(A A');7i(^")) is (A 2 ;72 (A A'); 72 (#"))• 

• Case: Rule 2 . 26 . 

1 . By the inductive hypothesis and reflexivity, (Ai;7iAi; 7^') valid 

2. and (Ai;71A 2 ;71 if") valid. 

3 . Now A x [>7 iA 1 ~ ^1(71^1,71^2) 

4 . and Ai >7 iA 2 — tt 2 (7iAi,7iA 2 ). 

5 . By Lemma 5 . 3.8 we have (Ai;7 Ti(7iAi,71 A 2 )-,jiK') valid, 

6. (Ai;ir 2 (7ii4i,71A 2 ); 71 #") valid 

7 . Therefore, (Ai; (71 Ai,7lA 2 );7l(R''xA' , ')) valid 

8. A very similar argument shows that (A 2 ; (7 2 Ai, 7 2 A 2 ); 7 2 (AT'xR 7/ )) valid 

9 . and an analogous argument shows that 

(Ai; (71^1,71^2); 7 i(#' x #")) is (A 2 ; ( 7 2 Ai, 7 2 A 2 ); 7 2 (A:'xA:")). 

• Case: Rule 2 . 27 . 

1 . By the inductive hypothesis, (Ai;71^571 {T,ol::K'.K")) is (A 2 ;7 2 A;7 2 (Ea'::AT , .A'")) 

2 . Therefore (Ai; 7Ti7iA;71 AT') is (A 2 ; nij 2 A] 7 2 A' / ). 

• Case: Rule 2 . 28 . 

1 . By the inductive hypothesis, (Ai;jiA;ji(Ea::K'.K")) is (A 2 ;"f 2 A;j 2 (Tia::K'.K")) 

2. Therefore (Ai;7r 2 7iA;7i([7TiA/a]A'")) is (A 2 ;7r 2 7 2 A;7 2 ([7riA/a]A'")). 

• Case: Rule 2.29 

1 . By the inductive hypothesis, (Ai;71 A; T) is (A 2 ;7 2 A;T). 

2. As in the case for Rule 2 . 8 , (Ai;S(7iA)) is (A 2 ;S(7 2 A)). 

3 . Thus (Ai; 71A; S(7 iA)) valid, 
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4 . (A 2 ; 72 ^ 4 ; S(72^4)) valid, 

5 . and (A 1 ;7 1 ^;S( 7i ^)) is (A 2 ; 72 A: S( 72 A)). 

• Case: Rule 2 . 30 . 

1 . By the inductive hypothesis, (Aj;7 Ti(7ij4);7iR' / ) is (A 2 ; 'K[{y 2 A)\y 2 K'), 

2. and (A]; 717(71 A); 71 K") is (A 2 ; 7r 2 (7 2 A); y 2 K"). 

3 . Thus (Aj; 71 A; 7l (K'xK")) valid. 

4 . (A 2 ; 72 A; 12 (K'xK")) valid, 

5 . and therefore (A-\\y\A-,yi{K'xK")) is (A 2 :y 2 A:y 2 (K'xK")), 

• Case: Rule 2.31 

1 . (A i; 7i(n av.K'.K")) is (A 2 ; y 2 {T\(r.-.K'.K")) as in the case for Rule 2 . 9 . 

2. Let A; D Aj and A 2 A A 2 

3 . and assume (A^; B\\y\K') is (A 2 ; B 2 -y 2 K'). 

4 . By monotonicity, (Aj; 71 [ru->i?]]; T, a::K') is (A 2 ; 7 2 [ rtl— ^B 2 ]; T, a::K'). 

5 . By the inductive hypothesis, 

(A'i; (7i[oh->B i ])(,4«); (71 [a^B^K") is (A 2 ; ( 7 2 [ot->.B 2 ])(A o); (72 [a^B 2 ))K'' ). 

6. That is, (Ai ■,(y l A)B 1 ;('y 1 [a^B l ])K") is (A' 2 ;(y 2 A)B 2 ;(y 2 [a^B 2 })K"). 

7 . and .K")) is (A 2 ; 72A; j 2 {Ylav.K'.K")). 

• Case: Rule 2.32 

1 . By the inductive hypothesis, (Ai;71 ^ 4 ;71 JCi) is (A\\y 2 A\y 2 K\) 

2 . and (A 2 ;71^! <71-^2) is {A 2 ;y 2 K] <y 2 K 2 ). 

3 . Therefore, (Ai; 71 A; 71A 2 ) is (Ay,y 2 A;y 2 K 2 ) 

Constructor Equivalence Rules: r I- Ai = A 2 :: K. 

It suffices to prove that if T I- Ai = A 2 :: K and (Aj;7i:r) is (A 2 ;7 2 ;r) then 
(Aj ! 71^15 71 *) * s (A2; 72^2; J2K ), because it follows that (A2; 72^]; 72^) is (A2; 72^2; 72A"), 
so (A1;^yi^ 4 1; 'y 1 jFC) is (A2; 72^2; 72 by symmetry and transitivity. A similar argument yields 
(Ai;yiA 2 ;jiK) is (A 2 -.y 2 A 2 \y 2 K). 

• Case: Rule 2 . 33 . By the inductive hypothesis. 

• Case: Rule 2 . 34 . 

By the inductive hypothesis and Lemma 5 . 3 . 5 . 

• Case: Rule 2 . 35 . 

1 . By the inductive hypothesis, is (Ai;7iA2;7iiO 

2. and {A^yiA^yiK) is {A^^A^^K). 

3 . By Lemma 5 . 3 . 6 , (A t ; 71A1571.fi') is (A 2 ; 72A3572.fi:). 

• Case: Rule 2 . 36 . 

Analogous to the proof for rule 2 . 24 . 
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• Case: Rule 2.37. 

Analogous to the proof for Rule 2.25. 

• Case: Rule 2.38. 

Analogous to the proof for Rule 2.27. 

• Case: Rule 2.39. 

Analogous to proof for Rule 2.28. 

• Case: Rule 2.40. 

Analogous to proof for Rule 2.26. 

• Case: Rule 2.41. 

Analogous to the proof for Rule 2.30. 

• Case: Rule 2.42. 

Analogous to the proof of Rule 2.31. 

• Case: Rule 2.43. 

By the inductive hypothesis and the definition of the logical relations. 

• Case: Rule 2.44. By the inductive hypothesis. 

■ 

A straightforward proof by induction on well-formed contexts shows that the identity substitu¬ 
tion is related to itself: 

Lemma 5.3.11 

If TV- ok then for all f5 G dom(r) we have (F; p-,T(/3)) is (r;/3; r(j8)). That is, 

(r;id;r) is (r;id;r) where id is the identity function. 

Proof: By induction on the proof of T t- ok. 

• Case: Empty context. Vacuous. 

• Case: T, a::K. 

1. By Proposition 3.1.1, T h K, and T b ok. 

2. Also, a dom(r). 

3. By the inductive hypothesis, (r;/3;r(/3)) is (r;/3;r(/3)) for all /3 G dom(r). 

4. By monotonicity, (T,a::K;f3;((T,a::K)((3))) is (T,a::K; (3;((T,a::K)(f3))) for all 

/3 G dom(r). 

5. By Theorem 5.3.10, (r ; K) is {T-,K) 

6. and by monotonicity (r, a:\K-, K) is (T,a::K;K) 

7. Now r, a:.K t> a f K T, a::K > a f K, 

8. so by Lemma 5.3.9, (T,a::K-,a;K) is (r , a:\K\a\K). 

I 

This yields the completeness result for the equivalence algorithms: 
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Corollary 5.3.12 (Completeness) 

1. IfT\-K x =K 2 then (r^) is (T;K 2 ). 

2. IfThAx =A 2 ::K then (r \A^K) is (T;A 2 :K). 

3. If T H K x = K 2 then T > &T>K 2 . 

4. IfT\-Ai= A 2 :: K then T > A, :: K 47 T > A 2 :: K. 

Proof: 

1,2 By Lemma 5.3.11, we can apply Theorem 5.3.10 with 7! and y 2 being identity substitutions. 
3,4 Follows directly from parts 1 and 2 and Lemma 5.3.9. 

■ 

Intuitively, the algorithmic constructor equivalence relation can be viewed as simultaneously 
and independently normalizing the two constructors and comparing the results as it goes along (see 
§5.5). Thus termination for both terms individually implies their simultaneous comparison will also 
terminate. This can be proved by induction on the algorithmic judgments (i.e., by induction on 
the steps of the algorithm). 

Lemma 5.3.13 

1- If Fi > t K\ Tj > A] t K\ and T2 > A 2 f K 2 •H- T2 > A 2 t K 2 then 
Tj > A\ t K\ 47 T 2 o A 2 f K 2 is decidable. 

2. If Fi > A\ :: K\ 4=7 Ti t> A\ :: K\ and T2 > A 2 :: K 2 V 2 t> A 2 :: K 2 then 
Ti > Ai :: K\ <£>T 2 t> A 2 :: K 2 is decidable. 

3■ If T 1 > K\ ■<=> T1 t> K\ and. T2 t> K 2 47 T2 t> K 2 then Ti t> K\ 47 T2 t> K 2 is decidable. 

Proof: By induction on algorithmic derivations. ■ 

Then completeness yields the following corollary. 

Corollary 5.3.14 (Algorithmic Decidability) 

1. If r h A\ :: K and T b A 2 :: K then T > A\ :: K 47 T > A 2 :: K is decidable. 

2. If r h K\ and V h K 2 then F 0 K\ 47 F 0 K 2 is decidable. 

Proof: By reflexivity, Corollary 5.3.12, and by Lemma 5.3.13. ■ 

I conclude this section with an application of completeness. 

Proposition 5.3.15 (Consistency) 

Assume c\ and c 2 are distinct type constructor constants. Then the judgment, 

V h £x[ Cl ] = £ 2 [c 2 ] ::K 

is not provable. 

Proof: The MILo constructor constants have either kind T or T—>(T—>T), so any path with a 
constant at its head cannot have its extracted kind be a singleton kind, and hence must be head- 
normal. Also, two paths with distinct constants at their heads will not be equivalent according to the 
algorithmic weak constructor equivalence. Therefore the paths will be algorithmically inequivalent 
at kind K , which by completeness implies inequivalence in the declarative system. I 

In proving soundness of the TILT compiler’s intermediate language, these sorts of consistency 
properties are essential. The argument that, for example, every closed value of type int is an integer- 
constant would fail if the type int were provably equivalent to a function type, a product type, or 
another base type. 
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5-4 Completeness and Termination 

Finally, I transfer the soundness and completeness results of the previous section back to the 
original algorithm for constructor equivalence. I use a “size” metric for derivations in the six- 
place equivalence system. This metric measures the size of the derivation ignoring head reduction, 
head normalization, and kind equivalence steps; that is, the metric is the number of term or path 
equivalence rules used directly in the derivation. Since every provable algorithmic judgment has at 
most one derivation, I can refer unambiguously to the size of a judgment. 

The important properties of this metric are summarized in the following two lemmas. 

Lemma 5.4.1 

1. If Ti t> Ai :: Ki & 1 ^ > A2 :: K 2 and T\ > A\ :: K\ & 17 3 > A 3 :: AT 3 then the two derivations 
have equal sizes. 

2. IfT\>Ai J [Ki +> r2 > A 2 t K 2 and T\ > A\ t K\ o T 3 > A3 t K$ then the two derivations 
have equal sizes. 

Proof: [By induction on the hypothesized derivations] 

• Assume c> A\ :: T <^> V 2 > A 2 :: T and Ti > A\ :: T <£> r 3 t> A3 :: T. Then T\ > A\ Jj- pi, 

r 2 > A 2 ^p 2 , r 3 t> A 3 jfp 3 , Ti >pi t T T 2 >p 2 t T, and Ih >pifTo F 3 >p 3 t T. By the 
inductive hypothesis, these last two algorithmic judgments have equal sizes, so the original 
equivalences have equal sizes (greater by one). 

• Assume T\ t> A\ :: S(J 5 i) F 2 > A 2 :: S (B 2 ) and T\ > A\ :: S(Z?i) F 3 t> A 3 :: S(B 3 ). Then 

the derivations both have a size of one. 

• Assume T\ > A\ :: Uav.A^.A” ^T 2 > A 2 :: II ot::A 2 .A 2 and 

Ti > A x :: II a::A[.A'{ T 3 0 A 3 :: Ua::A 3 .A^ Then 

Ti, a::K[ 0 A x a :: K” & T 2 , a::K 2 d> A 2 a :: K'f and 

Ti, a::K[ > A\ a :: K” F 3 , a::K 2 > As a :: K'f. By the inductive hypothesis these 
derivations have equal sizes and hence the original equivalence judgments have equal sizes 
(greater by one). 

• Assume Ti > A\ :: 'Ea::A , l .A , { F 2 \> A 2 :: Yta::A 2 .A 2 and 

> Ai :: £ a::A[.A" O T 3 > A 3 :: Eay.A^.A^. Then Ti > 7 TiAi :: K[ oV 2 > tx\A 2 :: K 2 , 

Ti > niAi :: K[ T 3 > 7 TiA 3 :: K f 3 , T 1 > tt 2 Ai :: [niAi/a]K" V 2 > ttiA 2 :: [niAi/c^K^, and 
Ti > n 2 Ai :: [KiAi/a]K” <^> T 3 > m A 3 :: [7riA 3 /a]iif3 . Using the inductive hypothesis twice, 
the judgments have equal sizes. 

• Assume Ih > bi t T T 2 > bi t T and Ti > t T T 3 > bi f T. Both derivations have size 
one. 

• Assume T\> a ^ Ti(a) T 2 > a t £2 (ex) and > a t Fi(a) -H- T 3 > a t r 3 (a). Both 
derivations have size one. 

• The remaining three cases follow directly by the inductive hypothesis. 

■ 


Lemma 5.4.2 

1. If Ti o A\ :: Ki V 2 > A 2 :: K 2 then the derivation V 2 > A 2 :: K 2 ^ Ti c> A\ :: K\ has the 
same size. 
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2. If Ti o A\ f K\ r 2 > A 2 t K2 then the derivation ^>^2 t K 2 *■> Tj t> A] f K] has the. same 
size. 

Proof: The two derivations are mirror-images of each other, and lienee use the same number of 
rules of each kind. ■ 

I can then show the completeness of the four-place algorithm with respect to the six-place 
algorithm. 

Lemma 5 . 4.3 

I- If b T] = r 2 , Ti b K\ = K-2, Tj b A\ :: K\, r 2 b A2 K2, and T] > A\ :: K\ r 2 > A2 :: K 2 

then Tj > A\ <=$• A2 :: K\. 

2. If b Ti = r 2 , F, b = K 2 , T l b Ai :: K\, T 2 b A 2 :: K 2 , and T, > A { f K x <-> T 2 > A 2 t K 2 
then Tj > j 4 ] ^ A 2 f K\. 

Proof: [By induction on the size of the hypothesized algorithmic derivation.] 

Assume b Ti = T 2 , Ti b K\ = K 2 , Ti b A, :: K u and T 2 b A 2 :: K 2 . 

• Case: Fi c> Ai :: T o T 2 0 A 2 :: T because Tj > A] -I) pi, T 2 > A 2 p 2 , and 

Tl >pi t T <-► r 2 >P2 t T. 

Now by the completeness of the six-place algorithm we have T| > A\ :: T F] o A 2 :: T, 
where Ti > A 2 -If p 2 and Tj > p x | T <-> Tj > p' 2 t T. 

By Lemma 5.4.1, the sizes of the two proofs of algorithmic path equivalence have equal 
sizes. Since this size is less than the size of the original algorithmic judgment (by one), we 
may apply the inductive hypothesis to the second derivation to get T] >pi -h- p' 2 j- T. 
Therefore, Ti > A\ <=> A 2 :: T. 

• The remaining cases are all either trivial or follow easily from the inductive hypothesis. 

I 


Theorem 5.4.4 (Completeness for Constructors and Kinds) 

1. 7/Tb Ai = A 2 :: K then To A x & A 2 :: K. 

2. IfT b K then T t> K. 

3. IfThKi < K 2 then To K, < K>. 

4- IfT b Ki = K 2 then T>K { & K 2 . 

5. 7/Tb A-.-.K thenT>A=tL andT>Af[L. 

6. If TV- A :: K then T>At=K. 

Proof: 

1. Assume T b A\ = A 2 :: K. By the completeness of the six-place algorithm, 
T t> A\ :: K ^ T > A 2 :: K. Then r > A\ A 2 :: K by Lemma 5.4.3. 

2-6. By part 1 and induction on derivations 


« 


■ 


Lemma 5.4.5 

If T > pi <-> p 2 t > T b p\ :: K\. and T \- p 2 :: L then T > p 2 | K 2 for some kind K 2 , and 
TTK l =K 2 . 
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Lemma 5.4.6 

1 . IfT> Pl O pi t K\, r h pi :: Ki, and r h P 2 :: L then it is decidable whether 
Topi t-^l provable. 

If F > ^4i ^4i :: K, T h :: K and T h A 2 :: K then it is decidable whether 

T > A\ ^ A 2 :: K is provable. 

3. IfT>K\ ^ K\, T h K\ and T h K 2 then it is decidable whether T > K\ K 2 is provable . 

Proof: 

1-2. By induction on algorithmic derivations. 

The sequence of constructor and path comparisons is driven by T and either p\ or A\ and 
K. In particular, this is independent of A 2 or P 2 . Thus the only possible problem would be 
for head normalization to fail to terminate, which can be seen to be impossible by 
completeness of the revised algorithm. 

3. By induction on kinds, using part 2. 

■ 


Theorem 5.4.7 (Decidability for Constructors and Kinds) 

1 . If T h Ai :: K and V \~ A 2 :: K then T > A\ <£> A 2 :: K is decidable. 

2. If T b K\ and F h K 2 then F t> K\ ^ K 2 is decidable. 

3. If T h K\ and T \- K 2 then T t> K\ < K 2 is decidable. 

4 . //Thif b T\-K 2 then T t> K\ <^> K 2 is decidable. 

5. If F h ok then T > K is decidable . 

6 . If T h ok then it is decidable whether V > A ^ K holds for some K . 

7. If T I- K then T t> A $=r K is decidable. 

Proof: 

1-2. Follows from reflexivity of constructor and kind equivalence, Completeness, and 
Lemma 5.4.6. 

3-7. By Parts 1 and 2 and by induction on the sizes of constructors and kinds. 

■ 

5.5 Normalization 

The revised equivalence algorithms in Figure 5.1 are effectively doing the work of normalizing 
the two constructors or two kinds being compared. However, because the algorithm interleaves 
this process with comparisons, the normalized constructors and kinds need not be explicitly con¬ 
structed. This is a beneficial for implementations, but it is still interesting and useful to consider 
the normalization process in isolation. The corresponding algorithms are shown in Figure 5.5. 

Lemma 5.5.1 (Determinacy of Normalization) 

1 . If r > A :: K => B\ and T > A :: K B 2 then B\ = #2- 

2. If T >p —>• p\ t K\ and T >p — p f 2 t K 2 then p[ = p 2 and K\ = K2. 
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Constructor Normalization 

r > A :: T => A" if T > A ^ A! and r > A! —> A" | T 

r > A :: S(B) => A" if Vt> A ^ A' and T > A! —> A" | T 

r > A :: Ilan/f'.Tf" =» A ar.L'.B if r t > K' ^ L' and T, a::K' > (A a) :: K" => B 

T> A :: E ar.K'.K" => (5',5") if Toth A :: X' => B' and f i> tt 2 A :: [ttjA/o]#" =► B”. 


Path Normalization 

r>^6|T 

r> x —» x t t-4T->t 

Fi> ->■ —> -*■ t T->T-^T 

r t> a —> a t r(a) 

r>pA —tp'A't [A/a]7f" 

r > ITlP - > -Kip' t K' 

r > 7 T‘iP - > 7T2P / t [7T] p/a]K' 

Kind Normalization 

To T ==> T 
r>S(A) => S(A') 
r > n ar.K'.K" ==► no::L.L" 
r > T,a::K'.K" =► Za::L.L" 


if T > p —> ;/ | n«::K'.K" and r > A :: 7C =* A' 
ifT>p — *p'f '£a::K'.K" 
ifT>p^p ,J rEa::K'.K" 


if T> A :: T =*• A' 

if T > K' =>• Z' and T, o::7C t> K" =» L" 
if T > 7C => Z' and T, n::7C > if" => Z" 


Figure 5.5: Constructor and Kind Normalization 


5. IfTt>K => L] and T> K => Z2 then L\ = L^. 

Proof: By induction on algorithmic derivations. ■ 

Lemma 5.5.2 (Soundness of Normalization) 

1. IfT\~A::K and T > A :: if =¥ B then T\~ A = B::K. 

2 . If r h p :: K and r 0 p — > p' f L then T h p = p' :: L. 

3. 7/ T h K andT>K =► L then T\-K = L. 

Proof: By induction on algorithmic derivations. I 

Theorem 5.5.3 

Assume h T1 = T‘2 and Ti h K\ = TF?- 

1 . Ti > Ai :: Tfi T2 > A2 :: K 2 if and only if Ti t> A\ :: K\ => B and T2 t> A2 :: K 2 => B for 
som.e B. 

2 . Ti > pi f K\ -H- T2 >P2 t 7^2 if and only if T 1 >pi —> p 't TC and Tj >pi —> p 't K '2 far 
some p', K\, and K 2 . 

3. Tj > K\ <$=> T2 > 7^2 if and, only ifTi > K\ => L and T2 > K 2 ==> L for some L. 

Proof: 

=> By induction on algorithmic derivations. 
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4= By soundness of normalization, transitivity and symmetry, and completeness of the revised 
equivalence algorithm. 


Corollary 5.5.4 (Normalization of Constructors and Kinds) 

1. If b Fi = T2 ; Ti h A\ :: K and T 2 h A 2 :: K then h A\ = A 2 :: K if and only if 
Ti > A\ :: K B and T 2 > A 2 :: K =$> B. 

2, If b Ti = F2 ? Pi h Ki and Ti h K 2 then T\ \~ Ki = K 2 if and only if Ti > K\ => L and 
p2 t> K2 =>• L. 
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Chapter 6 


Algorithms for Type and Term 
Judgments 

6.1 Introduction 

I now turn to the term and type levels of MILo; the development parallels that for constructors and 
kinds. In this chapter I consider algorithms corresponding to the term and type judgments, proving 
soundness, and partial completeness and termination results depending on term equivalence. Term 
equivalence is then studied in detail in the following chapter. 


6.2 Type Head-Normalization 

The kind-equivalence and subkinding relations are very simple and structural, and inversion imme¬ 
diately yields various useful properties such as “if two II kinds are equivalent then their domain kinds 
are equivalent and their codomain kinds are equivalent”. It is clear from inspection of type equiv¬ 
alence that a universally-quantified type can only be equivalent to another universally-quantified 
type (and that in this case the domain kinds are equivalent as are the codomain types), and similar 
properties hold for singleton types. However, the fact that there is no chain of equivalences 

Ty(A 1 )xTy(A 2 ) = Ty(A l xA 2 ) = Ty(B l -^B 2 ) = Ty{B l )^Ty{B 2 ) 

equating a function type with a product type (or a chain equating a product type and Ty( Int), 
etc.) is a consequence of the consistency properties of constructor equivalence, which were proved 
in the previous chapter. 

It is convenient to extend the head-normalization algorithm for constructors to the head- 
normalization of types; this algorithm is shown in Figure 6.1. The head-normalization algorithm 
attempts to turn any type of the form Ty(A) into an equivalent function type or product type, and 
leaves all other types unchanged. Viewed as an algorithm the judgment F d > t § cf takes inputs T 
and r with Thr and produces the type a. It depends upon a typing context because it uses the 
constructor head-normalization, which is context-dependent. 

Lemma 6.2.1 (Type Head-Normalization) 

if rb r then there exists a unique a such that T > r a. Furthermore , V \~ r = a. 

Proof: By induction on the derivation of type well-formedness, using the soundness of weak 
head-reduction for constructors. ■ 
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Type head normalization 

T>Ty(A) ^ Ty{A x )xTy(A 2 ) ifT>A$AyxA 2 
r >Ty{A)^Ty{A 1 )-^Ty(A 2 ) ifT>A$Ai^A 2 

F > r r otherwise 


Figure 6.1: Head Normalization Algorithm for Types 


Use of head-normalization allows a sufficiently strong induction hypothesis to prove useful in¬ 
version properties for type equivalence and for subtyping. 

Theorem 6.2.2 (Inversion of Type Equivalence) 

Assume F b t\ = t 2 . 

1. T> T\ s|). (,7 if and only if F > T 2 (x:r 2 )—^r 2 . Furthermore . in this case F b r[ = r 2 

and F,x\r[ b t" = r 2 . 

T > ri ^ (^TjJxTf if and only if F o 72 (.rr^xr^ Furthermore . in f/ii .9 ca.se F b r{ = r! 2 
and F, x:r[ b r{' = r 2 . 

3. r d> ri >iL Ty(b) if and only if F > >l| 7fy(/>). 

n = if and only if r 2 — Va::K 2 .r 2 . Furthermore , in this case F b K[ = K! 2 and 

F,a::K[Fr[ f = r^ 

5. r\ = S(vi : r{) if and only if r 2 = S(n 2 : r^). Furthermore . in this case T \~ vy = v 2 : rf and 
rbr'=r'. 

Proof: By induction on the proof of T b ri = r 2 . I 

Theorem 6.2.3 (Subtyping Inversion) 

Assume T F t\ < r 2 . 

i. if r d> n then r > t "2 4J- (x:t 2 )—^t 2 . Furthermore . in this case F b t! 2 < r[ and 

F,x 

// T > ^ en T i 25 a singleton type or else T o ri JJ. (a::r{)—and T b t! 2 < r[ 

and T, x:r 2 F r[ f < r 2 . 

3. If F > r\ Jf (x:r[)xr[ f then T > r 2 (x:r 2 )xr 2 . Furthermore, in this case F b r[ < t! 2 and 
F,x:r[ b r[ f < r!f. 

I if r > T2 (x:r 2 )xr 2 then ry is a singleton type or else F > t\ (x:r[)xr[ f and F b r[ < r 2 
and F,x:t 2 b r” < r 2 . 

5. If F > r\ Ty(b) then F > r 2 JJ. Ty(b). 

6. If r t> 72 Ty(b) then T\ is a singleton type or else F > r 2 Ty(b). 

7. If t i — \/a::K[.r” then r 2 == \/a::K 2 .r 2 and F b K 2 < K[ and T, a::K 2 b r[ f < r 2 . 

8. If r 2 — \/a::K 2 .r 2 then r\ is a singleton txjpe or else ry = \/a::K[.r[ f and F b K 2 < K[ and 

r, a.::K 2 b r” < r 2 . 

9. If r\ — S(v\ : <7i) then either r 2 = S(n 2 : cr 2 ) ? F b a\ = 02 , and r b ui = w 2 : 0*1 ? or else r 2 is 
not a singleton and F b o\ <r 2 . 

10. If t 2 = S(r 2 : 0 - 2 ) then r\ = S(ui : ai) ? T b oq = 02 , and T b ni = n 2 : <Ji. 

Proof: By induction on the proof of F b r\ < r 2 . I 
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Singleton stripping 

(S(u = t)) $ := t 

T s ;=T 

if r is not a singleton 

Principal type synthesis 

r > n ft S (n : int) 

r>^s(i: r(x) $ ) 

T > fun f(x:r f ):r n is e ft 

S((fun f(x:r , ):r fr is e) : (x:r f )- x r ,f ) 

T > A {a::K):r.e ft S(A(a::K):r.e : \/a::K.r) 

r>{vi,v 2 ) It S((vi,v 2 ) : rixr 2 ) 

if T t> v\ it ti and r > v 2 ft t 2 . 

r t> TTiV It S(7TiV : r' $ ) 

if T > v ft t and T > r $ Jj* {x:r r )xr n . 

r > 7r 2 v ff- S(7T2?; : ([7ri v/x]r r, )§) 

if T > v jt r and V t> r $ Jt (x:r f )xr ,r . 

r 0 v v' It [v r /x]r ff 

if T 0 v ft r and T > r $ Jt {x:t ! )-^t ,! 

r d> v A ^ [A/a\r n 

T > let x: r'—e' in e : r end ft T 

if T > v Jt r and = MawK.r” 



Figure 6.2: Principal Type Synthesis Algorithm 


6.3 Principal Types 

Just as every well-formed constructor has a most-specific kind, every well-formed term has a most- 
specific type (up to equivalence). The algorithmic judgment T>e r determines the principal type 
r of the term e under context T. This algorithm uses the auxiliary notion of a stripped type; for 
any type r, the stripped type r $ is the type label of r if r is a singleton type, and is r otherwise. 
Note that because nested singletons are disallowed, r $ can never be a singleton type. 

Lemma 6.3.1 (Singleton Stripping) 

1. If T h t then Fhr<r $ . 

2. IfT\~Ti = T 2 then T h r= r 2 $. 

3. If T b t\ < 72 then F h ri $ < r 2 $. 

4 . If T h ri < t 2 then either r 2 is a singleton type or T b ri $ < T2. 

5. J/T h r then r $ is £/ie minimal non-singleton supertype of r. 

6. IfT\-v:r then T b S(t; : r $ ) < r. 

Proof: Part 1 follows by reflexivity or by Theorem 6.2.3 and Rule 2.62, depending on whether r 
is a singleton type or not. Parts 2-3 are shown by induction on derivations. Part 4 is a restatement 

of part 3. Finally, parts 5 and 6 follow by case analysis on the form of t. ■ 

Theorem 6.3.2 (Principal Types) 

1. IfT\-v:a then F t> v it r and Fhv:r and T b r < S(v : cr $ ), so that F b r < a. 

2. If r b e : a then T t> e r and Their and T h r < a. 

Proof: By simultaneous induction on the proof of the first premise, and cases on the last typing 
rule used. 


117 



1 . 


• Case: Rule 2.67. 


Thok 
r hn: int 

Then T t> n -ff S(n : int) and F h n : S(t;. : int). By reflcxivity, T h S(n : int) < S(n : int). 

• Case: Rule 2.68. 

Tbok 

r h x : r(.r) 

(a) F>o:frS( 3::r(.T) S ). 

(b) Since T h r(.x). by Lemma 6.3.1 we have T h r(.T) < r(.r)® 

(c) and hence T F x : T(x.y . 

(d) By Rule 2.77, T h x : S(.r : r(:r:) S ). 

(e) Finally by reflcxivity, T h S(j: : r(.7:)®) < S(.r : r(:r)*). 

• Case: Rule 2.69. 

rj:{x:T')-^T n ,x:T f F e : r" 

T F fun f(x:r):r f is e : (x:r)—^r f 

(a) First, To fun f(x:r):r f is e ft S(fun f(x:r):r f is e : 

(b) By Rule 2.77, T F fun f(x:r):r f is e : S(fun /(;r:r):r' is e : (:r:r)- A r / ). 

(c) Finally, by reflcxivity we have 

T F S(fun f(x:r):T f is e : (rr:r)^r / ) < S(fun f(x:r):r f is e : (,r:r)—^r'). 

• Case: Rule 2.70. 

T, a::K f F e : cr" 

T F A(a::iC):<r".e : Va::K'.e f/ 

(a) F > A (a::K'):a".e ft S(A {a::K'):a".e : Vo::/C.a"). 

(b) By Rule 2.77, T F A(a::iC):<r".e : S(A(a::AT'):a".e : V«::AT'.a"). 

(c) Finally, T F Wa::K r .a n < \/a::K f .a ff by reflcxivity, 

(d) so T h S(A(«::/C):a".e : Va::iC.a") < S(A(o::iC):a".e : Va::K'.a"). 

• Case: Rule 2.71. 

r F Dj : cr] Thv 2 : a 2 
T F (?;i, v 2 ) : ctj xcr 2 

(a) By the inductive hypothesis T > v\ ft t\ and V F : 7*1 and T F t\ < S(v\ : <ti $ ), 

(b) and r > v 2 It r 2 and T F t> 2 : r 2 and T F r 2 < S(?; 2 : cr 2 § ). 

(c) Thus r> (v u v 2 ) ft S{(v u v 2 ) : rixr 2 ). 

(d) Also, T F {v\,v 2 ) : T i xr 2 , 

(e) so by Rule 2.77, TF (v\,v 2 ) : S((vi,v 2 ) : rixr 2 ). 

(f) Finally, T F tiXt 2 < S(v\ : 0*i $ )xS(t > 2 : a 2 $ ) 

(g) and T F S(ui : cr^)xS(v 2 ' C2 $ ) < <7iX<7 2 , 

(h) so T F S((vi,v 2 ) : tiXt 2 ) < S((vi,v 2 ) : o x xo 2 ). 

• Case: Rule 2.72. 

T \~ v : (x:a')xa ff 
T F ttiV : a' 
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(a) By the inductive hypothesis, T > v ft r and r h v : r and T h r < S(u : ( x:o ') xo"). 

(b) By Lemma 6.3.1, T h r® < (x:o')xo" 

(c) and hence by Theorem 6.2.3 T > r® JJ. (rr')xr" with T h t' < o'. 

(d) Thus T > 7T\V fp S(7Tii; : r' $ ). 

(e) By Lemmas 6.3.1 and 6.2.1 and subsumption, r b tt\V : t , 

(f) so by Rule 2.77 we have V b ttiv : S(niv : r /$ ). 

(g) Finally, F h r /$ < cr /$ by Lemma 6.3.1, 

(h) so T h S(7Tii) : r /$ ) < S(7TiV : cr /$ ). 

• Case: Rule 2.73. Analogous to previous case. 

• Case: Rule 2.77. 

Fhv:a 

-—-—-——-(a not a singleton) 

T b v : S(v : a) 

(a) By the inductive hypothesis, F >v ^ r and F b v : r and F b r < S(v : <7 $ ). 

(b) It suffices to observe that S(v : (S(w : a $ )) $ ) = S(v : <7 $ ). 

• Case: Rule 2.78. 

F b e : G\ r b ai < a 2 
T b e : cr 2 

(a) By the inductive hypothesis, F > v ff* r and F b v : r and F b r < S(?; : <7i $ ). 

(b) By Lemma 6.3.1, F b < a 2 $ , 

(c) so by transitivity, F b r < S(u : cr 2 $ ). 

2. • Case: e is a value. Follows by Part 1, Lemma 6.3.1, and transitivity. 

• Case: Rule 2.74. 

Fhv: a'^a” F b v' : a' 

F\~vv f :a" 


(a) By the inductive hypothesis, F > v r and F \~ v : r and F b r < 

(b) Similarly, F > vf ft T\ and F b v f : ri and T b n < a'. 

(c) By Lemma 6.3.1, F b r $ < cr'—^cr". 

(d) By Theorem 6.2.3, F > ft (x:t')— with r b cr f < r 1 and F,x:a f b r" < a". 

(e) Thus r> Wft [V/a^r". 

(f) By Lemmas 6.3.1 and 6.2.1, F b v : 

(g) Also by transitivity, T b n < r'. 

(h) Hence rbrrb [fZ/a^r". 

(i) Finally, by substitution we have F b [v*/x]r ff < [v f /x]a f '. 

• Case: Rule 2.75 

rb v:Va::K’.o" Tb A::K f 
Tbri: [A/a\a n 

(a) By the inductive hypothesis, F t> v ft r and Fb v : r and F b r < \/a::K f .cr ft . 

(b) By Lemma 6.3.1 F b 

(c) so by Theorem 6.2.3 r $ - \/a::L'.r" with r b K* < V and F, a::K' b r" < a". 

(d) ThusT >vAt[A/a]T". 
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(e) Then Thu: Vo::X'.t" and T b A :: L', 

(f) so F h v A : [A/o\t". 

(g) Finally, by substitution we have T h [ J 4/o , ]r w < [j4/«]ct". 

• Case: Rule 2.76. 

T h e' : a' T, x:a' h e : a F h a 
T h (let x\o'=e' in e : a end) : a 

(a) It is immediate that T > (let x:a'=e' in e : o end) ct, 

(b) and T h (let x:a'=e! in e : a end) : a by assumption. 

(c) Finally, T h a < a by reflexivity. 

• Case: Rule 2.78. As in Part 1. 

I 


6.4 Algorithms 

The term equivalence again makes use of term-level elimination contexts, again denoted by E. In 
contrast to the elimination contexts for type constructors, applications are not included; the only 
paths (£[?;] where v is a constant or variable) of interest are those which are values: 

E:~ o 

I *\£ 

| 7T2^ 


6.5 Soundness 

Proposition 6.5.1 (Inversion of Term Validity) 

1. If r P vv' : t then Thu: (x:t')-^t" and F h v' : t' with T h [%)'/t]t" < r. 

2. If T h v A : t then rhr: V«::iC.r" and T P A :: K' with T P [A/o\t" < r. 

3. If r h 7T\V : r then T b v : T\ XT 2 and T h t\ <t. 

4 . If F h 7T2V : r then T b v : T\ xr 2 and T b T 2 < t. 

Proof: By inversion v must be well-formed, so (the stripped, head-normal version of) its principal 
type satisfies the desired properties. I 

Proposition 6.5,2 

If T b (^ 1 ,^ 2 ) : t then T > ( x:r f )xT ,f and F \~ vi : r and T h V 2 : [^i/^]r". 

Proof: By induction on typing derivations, and cases on the last rule used. 

• Case: Rule 2.71. 

rhDj:^ r h v 2 : t" 

r h (vi, V2) : r'xr" 

Trivial. 
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♦ 


Type validity 

T>Ty(A) 
r > S(w : r) 

T > 

r>Mxr" 

r > 'ior.-.K.T 

Algorithmic subtyping 

r>Ti < T 2 


if r > A t= T 

if T t> r and T > V T. 
if T > r f and T, x:r f t> r". 
if T > r' and T, x:r f > r". 
if T > K and T, a::K > r. 


if T > T\ a i, r>r 2 and T > ai C cr 2 


Weak algorithmic subtyping 

r > Ty(Ai) C 7fy(A 2 ) 

F > S(^x : T\) □ S(u 2 : t 2 ) 

F > S(vi : T\) C r 2 
T > C ( :r:r 2)^ r 2 

r>(^:r{)xr{' C 
r>Va::ifi.ri C \fa::K 2 .r 2 

Algorithmic type equivalence 

r o r\ <^> t 2 if r > ri ^ cji , r t> r 2 a 2 , and T >ai a 2 . 


if Te> Ai A 2 :: T. 

if r > n < t 2 and T > ux 4=^ v 2 . 

if r 2 not a singleton and T > Ti < r 2 . 

if F d> T 2 < and T, x:r f 2 > r" < r” 

if T > r{ < and T, £:r{ > r" < r” 

if T t> if 2 < Ki and F, a::K 2 > ri < r 2 . 


Weak algorithmic type equivalence 

F > Ty(Ai) Ty(A 2 ) if T > Ai <£> A 2 :: T 

T t> S(ux : ti) S(u 2 : r 2 ) if T > ri r 2 and Tx t> v\ <$> v 2 

r t> (x:r[)~ f-X (x:r 2 )—^T2 if Ti d> t{ and Tx, > r{ ; r” 

r> (rc:r{)xr{' f-x (x:t 2 )xt 2 if Ti > and ri,rc:r{ t> t” 

T > Va::iFi.Ti f-X \/a::K 2 .r 2 \iT \> K\ ^ K 2 and Fx,a;::iFi c> ri r 2 


Figure 6.3: Algorithms for Types 
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Type synthesis 

r>t!4 S (n : int) 

Yt>x=t S(x : r(.7:)*) 

T > fun f{x'.T , ):T n is e 

S((fun f(x:T r ):T" is e) : ^t") 

T > A {a::K):T.e =t S(A(a::AT):T.e : VouAT.t) 
r> (vi,v 2 ) =1 S((«i,« 2 ) : rixr 2 ) 
r > TTlV =4 t' 
r > TT2V =f [lt\ v/x]t" 

Tt>vv'=$ [? )'/x]t" 

T > v A =t [A/«]r 

r> let x-.r'—e' in e : r end =4 r 

Typechecking 

r»e r 


if r>T', r, x:t' > r", 
and T, f:(x:T > )- i -T n , x:t' t> e t t" 
if r i> A" and T,a:: A' > r and T, «::ff >e t t. 
if T t> «i Ti and Y > v -2 =4 r 2 . 
if P > v =4 r and r* = (x:t')xt". 
if T o v =4 r and r* = (. 7 ::t') x r w . 
if T > v =4 r, = (x:t')— i r", and r > ?/ r'. 

if T > v =4 r, t* = Va::K.T, and r t> A t= A\ 

if T t> t', T > e' t= t', T t> t, and T, x:t' >e {= r. 

if r o e =3 a and T > cr < r. 


Figure 6.4: Algorithms for Term Validity 


• Case: Rule 2.77. 

TY{v u v 2 ):t . 

- r not a singleton 

rb (?;i,u 2 ) : S(w : r) V b ' 

By the inductive hypothesis. 

• Case: Rule 2.78 

r b (ui,u 2 ): t \ r b n < r 2 

T F (v u v 2 ) : 

1. By the inductive hypothesis, T > ti $ (r:rj)xrf 

2. and rhui : and T F v 2 : [^i/a]r". 

3. Then by Lemma 6.3.1, T F Ti $ < t^, 

4. so by Theorem 6.2.3 we have r > T2 $ JJ, (rr^xr^ 

5. and T F r{ < and T,x:r{ F r" < t". 

6. Thus by substitution and subsumption, V \~ V[ : r 2 and T \~ v 2 : [vi/xjr^. 

■ 


Lemma 6 . 5.3 

IfT\~vi : r and T F V2 : r and T F vi = u 2 : r $ then T \- v\ = V2 : r. 

Proof: 

• Case: r = S(w : a). 

1. Then = a and r F = r >2 : cr. 

2. By Rule 2.120, F F vi e v 2 : S(vi : cr). 
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Jfc 


Type extraction 

T t> n t int 

r > x t r(a:) 

r > TTlP t T\ 

r > 7r 2 p t ki p/y\T 2 

Term weak head reduction 

r>£[Ki(vi,V 2 )]^ £[vi] 
T\>S[k2{vi,V2)] E[V2] 

T o £\p] £[v] 

Term weak head normalization 

T»ei},d 
r>e ijr e 

Algorithmic term equivalence 

r > e\ e 2 


if t (y:ri)xr 2 
if T>pt (y:ri)xr 2 


if T \>p t S(v : r) 

if F t> e e f and r > e f JJ. d 
otherwise 

if T t> e\ >|| di, r > e 2 d 2 , and F > d\ f)i 2 


Algorithmic weak term equivalence 

T > n O n 
T > x 44 x 

T>tunf(x:r[):r[' is e\ 44 
fun is e 2 

F t> A(a::Ki):ri.ei 44 A(a::iF 2 ):r 2 .e 2 


always 

always 

if T > r[ <=> and T, o;:t{ t> r" <£> 
and T, f :(x:r[)-^Ti, x:t[ > e\ e 2 . 
if To JCi K 2 and T, a::Ki>n r 2 and T,a::Ki\>e\ 


r> {v[,v'{) ** {v' 2 ,v'l) 

r C> TTiVl -H- 7Tj«2 

r>«i vj ^2 v' 2 

r > Vi A\ -H- V 2 A 2 

r> (let x:T[=e[ in e\ : t\ end) 

(let x:T 2 =e' 2 in e 2 : T 2 end) 


e 2 - 

if T > v[ <=> v 2 and T > v” v 2 . 

if T > V\ 4~> V‘2 

if T > v\ «2 and r t> v[ v' 2 . 

if T > v\ V 2 , r > v\ JJ. wi, r > Wi fr a, (7 $ = Ma-.-.L'.a ", 
and T > A\ <=> A 2 :: V. 
if T > t[ & t 2 , T > e[ e 2 , 

T, x\t[ > e\ ^ e 2 , and r > t\ t 2 - 


Figure 6.5: Algorithms for Term Equivalence 
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3. But rhui : S(w : cr), so F b V\ = w : a 

4. and hence T b S(v\ : cr) = S(w : a). 

5. By subsumption then. F b v\ = ?;2 : S(w : a). 

6. That is. F \- vi = V 2 • t. 

• Case: — r. Trivial. 

I 


Lemma 6.5.4 (Term Weak Head-Normalization) 

//Their then there exists at most one e! such that T t> e ft e!. Furthermore, F b e! : r and 
r b e = e* : r. 

Lemma 6.5.5 (Soundness for Path Weak Equivalence) 

If T b pi : T\ and T b P 2 • ^2 and F t>p[ o P 2 then F >p\ ft (jj, F>p^ It a 2, r b aj = 02 , and 
r b pi = P 2 : cri. 

Proof: By induction on T >pi <-> P 2 , and cases on the last step. 

• Case: V t> n *-> n. Direct. 

• Case: F>x<r^x. Direct. 

• Case: T > mp[ o 7rip' 2 because T op^ p 2 . 

1. By inversion, p[ and p 2 are well-formed. 

2. By the inductive hypothesis, Top' ft err, To /; 2 ft < 72 ^ F b <71 = ( 72 , and F b Pi = p 2 : cr 1 . 

3. Since ^ip^ and 7Tip 2 are well-formed, <j\ = S(p' : (x:a[)xa f {) and 
^2 = S(p' 2 : (x:a' 2 )xa%), 

4. and T > Trip^ ft S(7Tip , 1 : a[) and F t> tt\P 2 ft S(7Tip 2 : a 2 ). 

5. By Theorem 6.2.2, F b o\ = a 2 . 

6. By subsumption and Rule 2.85, F b 7Ti p\ = 7Tip 2 : o \. 

7. Hence T b ^ip^ = 7i*ip 2 : S(7rip , 1 : cr^) and T b S(7Tip' 1 : cr'j) = S(7T[p 2 : a 2 ). 

• Case: F > 7r2 p[ -H* 7T2P 2 because F >p'j p 2 . Analogous to previous case. 

■ 


Theorem 6.5.6 (Soundness of Equivalence) 

1 . If F b e\ : r a?7<d T b e 2 : r and F > ej 44* e 2 then F b ei = e 2 : r. 

//F b ei : r, F b e2 : r, T > ei e2, and ei and e2 are head-normal then F b e\ = e2 : r. 

5 . // T b n and T b T2 and F > r\ ^ r<2 then F b r\ = t> 2 - 

4. If T b n and T b T2 and T > ri 72 then F b r\ = 72. 
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Proof: By simultaneous induction on algorithmic judgments (i.e., on the execution of the 
algorithms). 

1. By the inductive hypothesis and Lemma 6.5.4. 

2. • Case: Fi>nHn. Follows by reflexivity. 

• Case: F > x x. Follows by reflexivity. 

• Case: F e> fun is e\ fun f(x:a 2 ):a 2 is e 2 - 

(a) Then by inversion T F cr[, F h T,x:cr[ F cr", F,x:o 2 F T, F ei : a'/, and 
T, x:a 2 F e 2 : o 2 . 

(b) By inversion of the algorithm, T > a[ & <72 and T, > a” <=$ a 2 . 

(c) By the inductive hypothesis, T F a\ = cr 2 . 

(d) Thus T, x:a[ F a 2 and so by the inductive hypothesis F,x:a[ F < 7 " = a 2 . 

(e) This yields T, x:a[ F e 2 : a'/, so by the inductive hypothesis T, x:a[ F e\ = e 2 : < 7 ". 

(f) Thus T F fun is ei = fun f(x:a 2 ):a 2 is e2 : { x:a [)~ 

(g) Finally, by Theorem 6.3.2 and Lemma 6.2.1 we have F F (x:a[)~^a f { < and so 
T F fun f(x:a[):a f { is e\ = fun f(x:a 2 ):a 2 is e2 : t $ . 

(h) By Lemma 6.5.3, we have T F fun f(x:a[):a f { is ex = fun f(x:a 2 ):a 2 is e 2 : r. 

• Case: T > A(a::Ki):ri.ei 4-> A(a::K 2 ):T 2 .e 2 because T > iFi X 2 and T, a::iFi > n <£> T 2 
and T, a:\K\ > ex <^> e2- 

(a) By inversion of typing, T F K\ and T, a::iFi F ri and T, a::K\ F e\ : ri. 

(b) Similarly, F F K 2 and T,a::iF 2 F 72 and T,a::iF 2 F e 2 : 7 * 2 . 

(c) By the inductive hypothesis, T F K\ = K 2 . 

(d) Then T,a::iFi F 72 , so by the inductive hypothesis r,a::iFx F n = 7 * 2 - 

(e) Then F,a::Ki F 62 * ^i, so by the inductive hypothesis T, a::iFx F ex = e 2 : T\. 

(f) Thus, F F A(a::iFx):ri.ei = A(a::K 2 ):r 2 >e 2 : Va::iFx.Tx. 

(g) By Theorem 6.3.2 and Lemma 6.3.1, T F \/a::Ki.ri < r $ . 

(h) By subsumption, T F A(a::Ki):ri.ei = A(a::K 2 ):T 2 .e 2 : r $ . 

(i) Therefore by Lemma 6.5.3, F F A(a::ifx):ri.ei = A(a::K 2 ):T 2 .e 2 : r. 

• Case: T i> (^5 ^ 1 ) ^ ^ 2 ) because T t> v[ v 2 and F > v” ^ v 2 . 

(a) By Proposition 6.5.2, T>r $ ij, (x: t^xt", 

(b) and TF^J : r' and T F ^ : r' 

(c) and T F u" : [ux/x]r" and r F 7 ;" : [u^/^r''. 

(d) By the inductive hypothesis, T F v[ = v 2 : r'. 

(e) Thus by functionality and subsumption and T I" : K/*K. 

(f) By the inductive hypothesis, T F v” = v 2 : [v[/x]r". 

(g) By Rule 2.106, T F {v[,v'{} = (v 2 ,v 2 ) : (xir'Jxr". 

(h) By Lemma 6.2.1 and subsumption, T F {v[,v”) = (v 2 ,v 2 ) : r $ . 

(i) Therefore by Lemma 6.5.3, F F (v[ , v f {) = (^ 2 ^ 2 ) : r - 

• Case: T > ttiUx 7TiU 2 because F d> v\ V 2 - Since 7TiUi and 7 T 1 V 2 are head-normal and 
well-formed they must be paths; the result follows by Lemma 6.5.5. 

• Case: F t> 712^1 «-» 7^2 because F > v\ O U 2 . Since 7^1 and 7^2 are head-normal and 
well-formed they must be paths; the result follows by Lemma 6.5.5. 
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• Case: T > v\ v[ o v 2 v 2 because T t> v\ <=> v 2 and P > v\ v 2 . 

(a) Then T > v\ w\ and T > V 2 W 2 and T > w i w 2 

(b) By Proposition 6.5.1, r b v\ : (x:t[)^t[ / and T b v[ : r[ and V b [v\/x]t" < r. 

(c) Similarly, P b v 2 : (x:r 2 )-^r 2 and Y b v 2 : and Y b < r. 

(d) By Lemma 6.5.4, uq and W 2 have these function types. Thus ?/q and w 2 are not 

type abstractions, pairs, or (because they are head-normal) projections from pairs. 
The only remaining possibilities are that either w\ and w 2 are both paths, or else 
they are both term abstractions. 

— SUBCASE: w\ =p i and w 2 = P2- By Lemma 6.5.5, there exist o\ and o 2 such 
that T x> u.j\ ^ o\ and Y > w 2 ft a 2 and Y b o\ = o 2 and Y b w\ = w 2 : o \. 

- SUBCASE: w\ — fun f(x:a[):a f { is C[ and w 2 — fun f(x:rr 2 ):a 2 is e 2 - 

* Put o] = S(ir/j : (x:<j[)^a f () and o 2 — S(w 2 : (x:a 2 )^cr 2 ). 

* Then Y > w\ ft cr\ and Y > w 2 ft <72- 

* By declarative and algorithmic inversion and the inductive hypothesis, 
rbajE a 2 and Y,x:a[ b a” = a 2 . 

* By the inductive hypothesis, P b iv\ = w 2 : <7i $ , 

* so P b o\ = a 2 and Y b w j = w 2 : o \. 

- Since r b w\ : (x:t[)-^t”, by Theorem 6.3.2 we have Y b o\ < (x:r[)-^r[ f . 

- Thus in either of the two cases above, <7i S is of the form (x:a\)-^a f (. 

- By Theorem 6.2.3, r b r{ < o\ and Y,x:r[ b o” < r". 

- Thus r b v[ : a [. 

- Similarly, o 2 $ = {x:a 2 )^a 2 and Y b v 2 : cr^. 

— By subsumption, P b v 2 : . 

— By the inductive hypothesis, P b v[ = v 2 : o \. 

- Thus T b w\ v[ = w 2 v 2 : [v[/x]a". 

- By substitution, T b [v[/x]a'{ < [v[/x\ r", 

- so T b [v' 1 /x]cr , 1 / < t and T b v[ = W 2 : T * 

- Tlien rb^ uj = : r and P b v 2 v 2 = w 2 v 2 : r. 

- So by symmetry and transitivity, Y b v\ v[ = ^ 2^2 : T * 

• Case: Yt>v\Ai o ?; 2 A 2 because T > iq v 2 , Y > v\ ft w \, Y > w\ ft a, < 7 $ = Va::L'.a", 

and T t> Ai A 2 :: Lb 

Analogous to the previous case; this time the head normal forms of v\ and v 2 must 
either be paths or type abstractions. The return-type annotations on type abstractions 
are vital here (as they are for term abstractions in proof of the previous case) so that 
the induction hypothesis can be applied; they supply a common type for comparing the 
functions’ bodies. 

• Case: Y > let x:r[=e[ in e\ : r\ end let x:r 2 =e 2 in e 2 : r 2 end because Y > r{ <=> r 2 and 

T > e\ e 2 and T, x:r[ >T\ r 2 and T, x:r[ t>a e 2 . 

Essentially analogous to the proof for equivalence of two term-level functions. 

3. By the inductive hypothesis and Lemma 6.2.1. 

4. • Case: Y t> Ty{A\) Ty(A 2 ) because Y o A\ A 2 :: T. 

(a) By inversion of typing, Y b A\ :: T and Y b A 2 :: T, 
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(b) By soundness of constructor equivalence then, T h A\ = A 2 :: T. 

(c) By Rule 2.53, F b Ty(A x ) = lfy(A 2 ). 

• Case: T > S(tq : ri) S(t> 2 : r 2 ) because F > t\ <=> r 2 and Ti > tq <£> v 2 . 

(a) By inversion of typing and the inductive hypothesis, F b r\ = r 2 . 

(b) Thus T h : ri and T b u 2 : ri- 

(c) By the inductive hypothesis, T b v\ = V 2 : T\. 

(d) By Rule 2.54, F b S(v x : n) = S(*; 2 : r 2 ). 

• Case: F t> [x:r[)— O (rr:r 2 )— because Ti > and ri,a;:r{ > r” & r!f. 

By inversion of typing and the inductive hypothesis. 

• T > (x:r[)xr[ f (x:r 2 ) xrf because Ti o and Ti, x:r{ > rlf. 

By inversion of typing and the inductive hypothesis. 

• T >\/a::K\.Ti Va::iF 2 .r 2 because F > K\ «=> and F\,x\\K\ >r\ <=> r 2 . 

By inversion of typing, soundness of kind equivalence, and the inductive hypothesis. 

I 

The soundness proofs for the remaining algorithmic judgments are then straightforward. 

Theorem 6.5.7 (Soundness of Subtyping) 

1 . IfFhri and F b t 2 and F > r\ < t 2 then F b t\ < r 2 . 

£. If F b ti and F b r 2 and F > ri □ r 2 then F b ti < r 2 . 

Proof: By induction on algorithmic derivations. I 

Theorem 6.5.8 (Soundness of Typechecking) 

1 . If F b ok and Tor then Fbr. 

£ If F b ok and F > e =4 r then Fbe:r and F > e ft r. 

5. // T b r and F t> e £= r then F \~ e : r. 

Proof: By induction on algorithmic derivations. I 
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Chapter 7 


Completeness and Decidability for 
Types and Terms 

7.1 Type and Term Equivalence 

The approach for studying type and term equivalence is very similar to that for constructor and 
kind equivalence. Figures 7.1 and 7.2 show a symmetrized version of the type and term equivalence 
algorithms. By construction the algorithm is symmetric and transitive: 

Lemma 7.1.1 (Algorithmic PER Properties) 

1 - //Ai > Vi A 2 > V 2 then A 2 > ^2 ^ Ai > V \. 

2 . If Ax > v\ A2 > V2 and A2 > V2 A3 > ^3 then Ai i> v\ ^ A3 > v$. 

3 If Ax > Vi ** A2 > V2 then A2 > V2 « Ai>ui. 

4. If A! > Vi -H- A2 > V2 and A2 > ^2 A3 > U3 t/ien Ai > vi A3 c> U3. 

5. //Ax > T\ A 2 > T 2 then A 2 > T 2 ^ Ai > Ti. 

If Ai t> ti <^> A2 > T2 and A2 > T2 A 3 > T3 then Ax > n A3 > 7*3. 

The proof of completeness for term equivalence is essentially the same as the completeness 
proof for constructor equivalence. Although the algorithm is not type-directed, the fact that it 
must maintain two contexts requires the more complex two-world form of logical relation: see 
Figures 7.3, 7.4, and 7.5. The main differences from the constructor- and kind-level relations are: 

L Since type equivalence is not purely structural (e.g., Ty(lntxlnt) = Ty(lnt)x Ty(lnt)) the 
logical relations are defined using head normalization of types. 

2. The term-level logical relations are defined only for values, not all expressions. 

3. The II cases of the term-level relations have been simplified, since applications are not values. 

4. These logical relations also require that h Ax e A 2 as well as declarative well-formedness 
or equivalences, as appropriate. This allows the invocation of the correctness results for the 
constructor algorithms. 

It is not immediately obvious that these logical relations are well-defined, because they are not 
defined simply by induction on types. 
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Algorithmic type equivalence 

Ti > r\ 44 T 2 > T‘2 if T\ > r\ (Tj, r<2 > r 2 cr 2 , and T\ > a\ f> f 2 i> o 2 . 


Weak algorithmic type equivalence 

r l >Ty(A 1 )^r 2 >Ty{A 2 ) if r 2 > ::Ti 44r 2 >A 2 ::T 2 

Ti > S(vi : ri) o r 2 > S(v 2 : t 2 ) if T\ > n 44 T 2 > r 2 and Ti t> 44 P 2 > w 2 

Ti d> <4 r 2 > (a;:r 2 )—^cr 2 if T] > ri 44 T 2 > r 2 and T], .t:ti > o\ 44 T 2 , .7::t 2 t> o 2 

Ti t> xcti 44 r 2 t> (.t:t 2 ) xrr 2 if Tj t> tj 44 r 2 t> t 2 and Fi, x:t\ > ay 44 T 2 , .r:r 2 > <7 2 

Ti > \/a::K] . 7*1 44 T 2 > \/a::K 2 .r 2 if Ti > K\ 44 T 2 > K 2 and T\ , o::AT] > r j 44 r 2 , a::K 2 t> r 2 


Figure 7.1: Revised Type Equivalence Algorithm 


Algorithmic term equivalence 

ri t> C\ 44 r 2 > e 2 if Ti t> ei di, T 2 > e 2 ^ d, 2 , and Ti o ch 44 r 2 


Algorithmic weak term equivalence 

F\ > n 44 r 2 > n 
Ti > X 44 r 2 t> X 
Ti > fu n f (x:r[):r[ f is e\ 44 

r 2 >fun/(rr:r^):T'' is e 2 
Ti > Xx:r[.e\ 44 T 2 > Xx-.r^-ez 
Ti > A(a::Ki):ri.e\ 44 T 2 > A(a::K 2 ):r 2 .e 2 

ri>(v[,v'{) <+r 2 >(v! 2 ,vZ) 
r 1 t> 7TiUi 44 r 2 > 7r t -V 2 

Ti > Vi 44 r 2 > v 2 V f 2 

T\ > tq A\ 44 r 2 > ?^ 2 a 2 

Ti h (let rr:r{—e' x in e\ : ti end) 44 
r 2 h (let x:r 2 =et 2 in e 2 : r 2 end) 


always 

always 

if T] > r[ 44 r 2 t> and T, r> rf 44 T 2 , > r 2 and 

r,/:(.'r:r 1 ')^r 1 ,, ,.7;:T J ' > ei <^> T 2 J:(x:t^t!J 1 x:t^ t> e 2 . 
if Fi t> t{ 44 r 2 > T 2 and Ti, t> ei 44 F 2 , x:t! 2 t> e 2 . 
if ri \>K] 44 r 2 >AT 2 and ri,a::A"i oti 44 T 2 , a::K 2 >r 2 
and ri, o e\ 44 r 2 ,a::iF 2 > £2- 

if T\ > v\ 44 r 2 > ^2 and T] > Uj 44 F 2 > V> 2 . 
if r 1 c> 44 r 2 > 1?2 

if Ti > V] 44 r 2 > v 2 and T i c> 44 T 2 t> v 2 . 
if Ti > Vi 44 r 2 > V2, Tj > Vi Jj. Wu Tj t> Wi ft tr*, cr*® = 
Var.L'j.o r", and Ti > ^4] :: Lj ^ T 2 t> yl 2 :: L' 2 . 
if T] > t[ r 2 > Tj, Ti > e[ 4$ P 2 > e^i 

ri,x:Tj t> ei <=> ri,x:r 2 c> e 2 , and T] > rj T 2 > r 2 . 


Figure 7.2: Revised Term Ecjuivalence Algorithm 
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• (A; r) valid iff 

1. Ahr 

2. and 

— r = Ty(A) and A t> r JJ- r 

— Or, r = S(v : cr) and (A; v; cr) valid 

— Or, A > t -Ij- (x:t')—^t", and (A; r') valid, and for all A' D A and A" D A if 
(Ais (Athen (A' \[v' / x]t") is (A "\[w' / x\t"). 

- Or A > r JJ- (x:t')xt", and (A; t') valid, and for all A'D A and A" D A if 
(A ';v';t') is (A"; w 1 ; t 1 ) then (A ’;[v'/x]t") is (A"; [w'/x\t"). 

-Or r = \/a::K.r", and for all A'D A and A" D A if h A' = A" and 
A' h A\ = A 2 :: K then (A'; [Ai/a]r") is (A"; [A 2 Iol)t"). 


• (Ai;ri) is (A 2 ;r 2 ) iff 

1. h Ai = A 2 and Ai h t\ = T 2 

2. (Ai;ri) valid and (A 2 ;t 2 ) valid. 

3. - Ti= Ty(Ai) and Aj > Tj ^ 7j 

- Or, n = S (vi : Oi) and (Ai;vi;<ti) is (A 2 ;u 2 ;<7 2 ) 

- Or, A i >Tj - U - (x:t-)—^t", and (Ai;r{) is (A^r^), and for all A' x D Ai and A 2 A A 2 
if (Ai;«i;r') is (A ' 2 ;v' 2 ;t') then (A x ; [v[/x}t") is (A 2 ;[v’ 2 /x]t%). 

- Or, Aj > Tj ^ (x:t-)xt-', and (Ai; t[) is ( A2 ; t 2 ), and for all A\ D A\ and A 2 5 A2 
if (A[;v[;t') is (A ' 2 ]v' 2 ;t') then (A x]t'{) is (A 2 ,[v 2 /x\t^). 

- Or Tj = \/a::Ki.T ", and for all A' D Aj and A' 2 D A 2 if I- A[ = A' 2 and 
A'j h Ai = A 2 :: K\ then (A'j; [Ai/q\t'{) is (Af>; [A 2 /a]r%). 


Figure 7.3: Logical Relations for Types 
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• (A; v; t) valid iff 

1. (A; r) valid 

2. A h v : r 

3. A > v <=> A > v 

4. — r = Ty(A) and A > r JJ. r 

— Or, t = S(«» : t') and (A :v.t') is (A:w-,t') 

— Or, A > r JJ 

— Or, A t> t JJ (x:t')xt", (A; 7Tit;; t') valid, and (A: 7r 2 ?;; [tx\v/t]t") valid. 
- Or, t = Vct.-.K.t'. 


• (Ai;ui;ti) is (A 2 ;w 2 ;t 2 ) iff 

1. (Ai;ti) is(A 2 ;r 2 ) 

2. (Ai;ui;n) valid and (A]; v 2 ; ri) valid 

3. Ai I- v\ = %) 2 : T\ 

4. A] > vi A 2 > v 2 

5. — Ti = Ty(Ai) and Aj > r, JJ- r,; 

- Or, ^ = S (wi : and (A x ;; ctj) is (A 2 ;?; 2 ;<t 2 ) 

- Or, A, > Ti (x:r/)- i 7f, 

- Or, Ai > Tj JJ (rr')xr'', (Aj; 7rim; tJ) is (A 2 ; 7rit; 2 ; t! 2 ), and 
(Ai;7r 2 wi; [ti\V\/x]t'{) is (A 2 ;tt 2 v 2 ;[ttiv 2 /x]t!J). 

- Or, Ti = 'ior.\Ki.T , i . 

Figure 7.4: Logical Relations for Values 
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• (Ai;n < cri) is (A 2 ;t 2 < a 2 ) iff 

1. VAj 3 Ai and A2 3 A 2 , if (A'^^ijri) is (A 2 ; v 2 ;r 2 ) then (A'^vijai) is (A2 ;u 2 ;ct 2 ) 

• (A;7;T) valid iff 

1. A h ok 

2. Va € dom(r). A h 7a :: 7 (r(a)) 

3. Vx G dom(r). (A; 7 a;; 7 (r(a;))) valid 

• (Ai;7i;Ti) is (A 2 ;7 2 ;T 2 ) iff 

1. h Ai = A 2 

2. dom(ri) = dom(r 2 ) 

3. (Ai;7i;ri) valid and (A 2 ;7 2 ; T 2 ) valid 

4. Va € dom(r). Ai h 71a = 7 2 a :: 7(ri(a)) 

5. Vx G dom(r). (Ai; 7 ia;; 7 i(ri(s))) is (A 2 ; 7 2 a;; 7 2 (r 2 (a:))) 


Figure 7.5: Derived Logical Relations 



size{T\ 'ior.'.K.r) 
size{T; S(v : r)) 
size( r; (a::r')- A r") 
sue(r; ( x : t ') xt ") 
size(T; Ty(A)) 

Figure 7.6: Size Metric for Types 


= (1,0) + s*ze(r, a:\K\r) 

— (1,0).+ size (r;r) 

= (0,1) + size{V\T') + size(T,x:T';T n ) 

= (0,1) + size(T; t') + size(T, x:t'; t") 

= (0,Number of of x’s and —^’s in B where T > A :: T =+• B) 
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I therefore define the size of a type r relative to a context T to be pair of integers, (If T 
is apparent from context, I will just refer to the size of r.) The formal definition is given in 
Figure 7.6; the definition here uses componentwise addition: 


(mi, m2) + (n\ , 712) = (mi + n\ , m 2 + n 2 ). 

The first component of the size is the number of V’s and S's in the type. The second component is 
the number of x and —^’s in the type after all the constructors within Ty(-) ’s have been normalized. 
These sizes are ordered lexicographically: 

(mi,m 2 ) < (711,n 2 ) (m 1 < nj) V ((mi = nj) A (m 2 < n 2 )). 

The relevant properties of sizes are summarized in the following lemma: 

Lemma 7.1.2 (Sizes of Types) 

1. IfT b r\ = T ‘2 then size(T',r\) — sizc(T]T 2 )- 

2. If F h T\ and T t> T\ r 2 then T\ and t 2 have equal sizes. 

3 . If TV- S(v : r) then the size of S(v : r) is strictly greater than the size of r. 

4. IfT b (x:r f )~^r n then the size of (x:r , )—^r n is strictly greater than both the size of r f and the 
size of [v/x]r n for any value satisfying T h v : r* . 

5. If TV- (x:r f )xT n then the size of (x:r f )xr n is strictly greater than both the size of r* and the 
size of [v/x]r ff for any value satisfying T h v : r'. 

6. If T h Var.K.r then the size ofWa::K.r is strictly greater than the size of [A/a]r for any 
constructor satisfying T h A : K. 

Proof: 

1. By induction on equivalence derivations and the properties of constructor normalization. 

2. By part 1 and Lemma 6.2.1. 

3-6. By definition of sizes. 

I 


Lemma 7.1.3 (Logical Reflexivity) 

1. //(A;r) valid then (A;r) is (A;r). 

2 . If (A;v; r) valid then (A;v:r) is (A;v;r). 

3. If (A; 7 ;T) valid then (A; 7 ;T) is (A; 7 :T). 

Proof: By induction on the size of types 

1 . In all cases, h A = A and and A h r = r by declarative reflexivity. 

• Case: r = Ty(A) and A > r r. Trivially (A; Ty(A)) is (A; Ty(A)). 

• Case: r = S(v : a). By the inductive hypothesis (A; v; a) valid implies 
(A;u;<t) is (A;v;cr). Thus (A; S(v : a)) is (A; S(v : cr)). 

• Case: A > r (x:T f )~ x r n . Then (A;r') valid. By the inductive hypothesis, 

(A;r') is (A;r'). Let A' : D A and A' 2 2 A and assume (A is (A 2 ;v! 2 ;r f ). 
Then (A\][v[/x]r ff ) is (A^; [^ 2 /^] r// )- Thus (A;r) is (A;r). 
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• Case: A > r (x:r f )xr n . Same proof as in previous case. 

• Case: r = Ma\:K.r n . Assume A[ D A], A' 2 D A 2 , h A' x = A' 2 , and A[ \~ A\ = A 2 :: Ki- 
Then {A f 1 ;[A l /a]r n ) is (A f 2 ;[A 2 /a}r n ). Thus (A; Vclv.K.t") is (A;Va::iCr"). 

2. In all cases, (A; r) is (A; r) by the argument of the previous part, A h v = v : r by 
Rule 2.79, and A>^<t4>A>uby assumption. 

• Case: r — 7fy(A) and A > r ^ r. Trivial. 

• Case: r — S(tu : r'). Then (A;t;;r') is (A;w;r') so (A; r') valid. By the inductive 

hypothesis (A;u;r') is (A;u;r'). Therefore (A;v;S (w : r')) is (A‘v;S(w : r')). 

• Case: At> r (x:r')-^r". Trivial. 

• Case: A > r (x:r f )xr' f . Then (A; 7T\V] r f ) valid, so by the inductive hypothesis we have 
(A; 71 * 1 ?;;t') is (A;tti v;t') and (A;7T2 v; [7Tiv/x]r ff ) is (A; 7T2 u; [ttiv/x]^'). Thus 

(A; v;r) is (A;v;r). 

• Case: T{ = Va::AT^r/. Trivial. 

3. By declarative reflexivity we have b A = A. By reflexivity of constructor equivalence, for all 
a G dom(r) we have A b 7 a = 7 a :: 7 (T(a)). By part 2, for all x E dom(T) we have 

(A; jx; 7 (r(x))) is (A; 7 x 5 7 (r(®))). Thus(A; 7 ;r) is (A; 7 ;r). 

I 


Lemma 7.1.4 (Logical Symmetry) 

1■ If{ Ai;ti) is (A 2 ;t 2 ) then (A 2 ;r 2 ) is (Aijri). 

2- //(Ai;ri < <Ti) is (A 2 ;t 2 <ct 2 ) then (A 2 ;t 2 < ct 2 ) is (Ai;ri<ai). 

5. 7/(Ai;vi;ti) is (A 2 ;u 2 ;r 2 ) then (A 2 ;u 2 ;r 2 ) is (Ai;«i;n). 

4- //(Ai; 7 x;ri) is (A 2 ; 7 2 ;T 2 ) then (A 2 ; 7 2 ;T 2 ) is (Ai^ijTi). 

Proof: By induction on the size of types, using context replacement, declarative symmetry, and 
algorithmic symmetry. I 

The following two lemmas must be proved simultaneously by induction on the size of types. I 
have separated their statements for clarity. 

Lemma 7.1.5 

1 . If (A; v; r) valid and (A;r) is (A; cr) then (A; v; a) valid. 

2 . I/(Ai;vi;n) is (A 2 ;v 2 ;r 2 ), (Ai;n) is (Ai;cti), and (A 2 ;r 2 ) is (A 2 ;ct 2 ) then 
(Ai; v\-,o\) is (A 2 ; u 2 ; a 2 ). 

Proof: In all cases, by subsumption we have Ah v : a. 

1. • Case: r = Ty(A) and A > r r. Then a = Ty(B ) and A t> a <r. 

• Case: r = S(w : r f ). Then a = S(w' : a f ) where (A ;w;r f ) is (A;it;'; cr'). Since 
(A;u;t') is (A;it;;r'), inductively by Logical Transitivity we have 

(A; v, t ) is 

• Case: A t> r JJ- Then A t> a JJ. (x:a')—^o". 


135 




• Case: A t> r (x:r , )xr ,f . Then A > a ^ (x:cr f ) xa ff . Now (A; ir\v; r') valid and 
(A;r') is (A;cr'), so by the inductive hypothesis we have (A; rc\v; a') valid. By 
reflexivity and the inductive hypothesis, (A; 7 Ti v;r f ) is (A: ix\v\ <r'), so 

(A; [ 7 T] v/x]r n ) is (A; [tti v/x\<j"). Since (A; 7 T 2 u; [ 7 Ti?;/, 7 ;]t") valid, by the inductive 
hypothesis we have (A; 7^; [n\v/x]a ff ) valid. 

• Case: r = Va::K.r / . Then o = Vo wL.a 1 . 

2 . By subsumption, in all cases A] h t>i = U2 : oj. By the argument in part 1 , (Ai; v \; <ri) valid 
and (A2; V2\ 02) valid. Recall that that (Ai;ri) is (A2 ;t2). 

• Case: 77 = T?/(yl 2 ) and A* t> r 7 Jj- 77. Then <77 = Ty(i^) and A/ > 07 07. 

• Case: r, = S(vj : t'). Then a,- = S(w, : a'), (Auw^Tj) is (A 2 ;u 2 : r^). 

(Ai;ui;r{) is (Ai;w\;a[), and (A 2 :v 2 ;t 2 ) is (A 2 ;w 2 :a 2 ). Thus (A];r{) is (A,;^) 
and (A 2 \t! 2 ) is (A 2 ;cr! 2 ). By the inductive hypothesis, (A];i;j;<tJ) is (A 2 ;v 2 ;a 2 ). 

• Case: Aj > Tj 1 ) ‘■r". Then A,- > a, JJ. (x-.a'^-^cr" . 

• Case: Aj > Tj JJ. (rr')xr''. Then A, t> < 7 , JJ- (.r:cr') xcr". Now (Ai;t{) is (Ai; rr,), 

(A 2 ;t 2) is (A‘ 2 ;C2), and (Ai; 7 riUi; rj) is (A 2 ; 7 Ti?; 2 : t 2 ). By the inductive hypothesis, 
(Ai; 7 TiVi; < 7 j) is (A 2 ; 7 Tiw 2 ; a' 2 )- Also by Reflexivity we have 

(Aj ; , k\V\\t[) is (A] ; 7 riWj ; rj) and (Ai;r{) is (Ai;r{), so by the inductive hypothesis 
we have (Ai; 7 TiWi;t{) is (A]; 7 TiWi;<t , 1 ). Similarly, (A 2 ; 7 Ti?; 2 ;t 2 ) is (A 2 ; 7 Tiw 2 ; 02 )- Thus 
(Ai; 7 r 2 ni; [n\V\ / t]t") is (A 2 ;tt 2 v 2 ; ['nyV 2 lx]T! 2 ), (Ai; [Tt\V\/x\T") is (Ai; {KiVy/^a"), 
and (A 2 ; {^\v 2 / x]x!f) is (A 2 ; {x\v 2 /x]i 7 2 ), so by the inductive hypothesis we have 
(Ai; 7 r 2 wi; [k\Vi/x\o'{) is (A 2 ; 7 r 2 v 2 ; fai v 2 /x\o"). 

• Case: r, = Va::A',.r'. Then a, = Va , ::L,-.cr^. 

I 


Lemma 7.1.6 (Logical Transitivity) 

1. If (Ai;Ti) is (A 2 ;r 2 ) and (A 2 ;t 2 ) is (A 2 ;<r 2 ) then (Ai;tj) is (A 2 ;<t 2 ). 

& //(Ai;m;ri) is (A 2 ;w 2 ;t 2 ) and (A 2 ;v 2 ;t 2 ) is (A 2 ;u? 2 ;<t 2 ) then (Ai;»i;rj) is (A 2 ;w 2 ;<t 2 ). 


Proof: By induction on the size of types. 

1 . By context replacement and declarative transitivity, Ai h r\ = 02- 

• Case: 77 — Ty(A{), 02 ~ Ty(B 2 ), A* > 77 77, and A2 > 02 <72. Trivial. 

• Case: 77 = S(vi : t[) and a 2 = S(u / 2 : 02)* (Ai;wi;t{) is (A 2 ;u 2 ;t 2) and 
(A2 ;v2;t 2 ) ‘ s (A2; W2; ^2)* By the inductive hypothesis, (Ai; v\\ r{) is (A 2 ;^ 2 i^ 2 )* 

• Case: A 7 > 77 (x:t-)^t- / and A2 t> 02 (x:a 2 )—^cr”. Then (Ai; r[) is (A2; r 2 ) and 

(A2;t 2 ) is (A 2 ;< 72 ), so by the inductive hypothesis we have (Ai;r{) is (A2;02)- Let 
A[ D Ai and A 2 3 A2 and assume that (A \\v\\r[) is (A^;?^;^). By reflexivity and 
inductively by Lemma 7 T. 5 , (A[;v[‘t[) is (A 2 ;v 2 ;t 2 ) : so 

(A i;[v[/x\rf) is (A' 2 ; \v 2 /x]t 2 ). Now by reflexivity, (A' 2 ;v 2 ;ct 2 ) is (A f 2 ;v 2 :a 2 ), so by 
reflexivity and inductively by Lemma 7 . 1 . 5 , (A 2 ;v 2 :t 2 ) is (A 2 ; v! 2 -a! 2 ). Thus 
(A 2 ; [v'2/x]t 2 ) is (A 2 ; [v 2 /x\a 2 ). By the inductive hypothesis, 

(Ai;K/®] t") is (A' 2 ; [v 2 /x]a'f). 

• Case: Aj > t* Jj- (x:t-)xt-' and A 2 > a 2 1 ) Same as previous case. 
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• Case: Tj = Var.Ki.r- and cr 2 = Va::If 2 .<7 2 . Assume A x D Ai and A 2 A A 2 , b A x = A 2 , 
and A' x I- Ax = A 2 :: K\. Since A[ h K\ = K% by Theorem 6.2.2, we have 
(A x ; [AxIq\t[) is (A 2 ; [A 2 /a]T 2 ). Also h A 2 = A 2 , A 2 b K 2 = L 2 , and by context 
replacement, declarative reflexivity, and subsumption we have A 2 h A 2 = Ao :: K 2 , so 
(A 2 ; [A 2 /o:]t 2 ) is (A 2 ; [A 2 /cr]er 2 ). By the inductive hypothesis, 

(Ai; [Ai/q\t() is (AJ>; [A 2 /a]o£). 

* 2 . Inductively using context replacement, declarative and algorithmic transitivity, and part 1 . 

■ 


Definition 7.1.7 

The judgment T > v\ cz V 2 holds if and only if v\ and V 2 have a common weak head reduct under 
typing context T; that is, if and only if there exists w such that T > v\ * w and T > V 2 * w. 

Lemma 7.1.8 (Weak Head Closure) 

1. If Ai > Vi A 2 > V 2 , A x > v\ ~ wi, and A 2 > V 2 — W 2 , then A x t> w\ A 2 > «; 2 . 

2. If (A; v; r) valid, A t> v ~ w, and Ahw:r then (A; w, r) valid. 

3. //(Ai;ui;rj) is (A 2 ;^ 2 ; Ai >vi ~ w\, A 2 t>v 2 — u> 2 , and Ai b wi = w 2 : n then 
(Ai;u?i;ri) is (A 2 ;w 2 ;r 2 ). 


Proof: 

1. By definition of the algorithm. 

2-3. By simultaneous induction on the sizes of types. 

■ 


Lemma 7.1.9 

1 . If A>pfr, A >p *-» A >p, and A h p : t, then (A;p; r) valid. 

2. If Ai t> pi t n, A 2 r>p 2 T T 2 , Ai >px -h- A 2 >p 2 , Ai hpi =p 2 : n, and (Ai;ti) is (A 2 ;t 2 ) 
then (Ai;pi;n) is (A 2 ;p 2 ;r 2 ). 

Proof: By induction on algorithmic derivations and weak head closure. I 

Corollary 7.1.10 

If {A i;(Ai(a:))) is (A 2 ; (A 2 (a:))) then (Ai;ar; (Ax (a;))) is (A 2 ;a:; (A 2 (x))). 

Proof: By part 2 of Lemma 7.1.9 with p\ = p 2 = 2 ;, tx = Ax ( 2 ;), and r 2 = A 2 (a;). I 

Lemma 7.1.11 

1. If A b Tg/(A) then (A; Ty(A)) valid. 

& tfb Ax = A 2 and Ax h Ty(A\) = Tj/(A 2 ) then (A i; 2V(Ax)) is (A 2 ; T«/(A 2 )). 

Proof: By induction on the size of types. Note that Ty(A) cannot head-normalize to a truly 
dependent product or function type, or to a polymorphic or singleton type. I 


Lemma 7.1.12 

//(Ax;tx) is (A 2 ;t 2 ) then Ax > rx & A 2 > r 2 . 
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Proof: By induction on the sizes of types. I 

In the following theorem, not that part 6 uses algorithm equivalence because logical equivalence 
is defined only for values. 

Theorem 7.1.13 

1 - //(Ai;7i;r) is (A 2 ;7 2 ;r) and T b r then (Ai;7jt) is (A 2 ;7 2 t) 

«• '/(A i;7i;T) is (A 2 ;72;r) and.V\-Ti = r 2 then (Ai;7iti) is (A 2 ;7 2 r 2 ) 

5 . If (A l; Ti ; r ) is (A 2 ;7 2 ;r) and T b t \ < r 2 then (Aj; 71 tj < 71 r 2 ) is (A 2 ;7 2 tj < 7 2 r 2 ) 

4 ■ U (Ai;7i;r) is (A 2 ;7 2 ;T) and T b v : r then (Ai;7it>;7it) is (A 2 ; 72^57 2 r) 

5 - //(A 1; 71; T) is (A 2 ; 72; T) and T b ui = v 2 : t then (A 3 ; 7j?;i ; 7iTj) is (A 2 ;7 2 ?; 2 ;7 2 r 2 ) 

C // (Ai; 71; T) is (A 2 ; 72; T) and T b ej = e 2 : r then A] > 71 ej <=> A 2 t> 72e 2 . 

Proof: By induction on derivations. 


Type Well-formedness Rules: I b r. In all cases, by Substitution we have A: b 71 r and 
A 2 b 7 2 t and by Functionality we have A| b 71 r = 7 2 t. 


• Case: Rule 2.45 


rbd::T 


r b Ty(A) 


By Functionality, Ai b 71A1 = 72A2 :: T. By Lemma 7.1.11, 
(Aj; Ty(jiAi)) is (A 2 ; Ty(j 2 A 2 )). 

• Case: Rule 2.46 

T b v : r r not a singleton 

r b S(w : r) 


By the inductive hypothesis, (Ai;7iv;7it) is (A 2 ;72?;;7 2 r). Thus (Aj;S(7iw : 7it)) valid, 
(A 2 ;S(7 2 n : 7 2 t)) valid, and (Ai;S(7it; : 71 r)) is (A 2 ;S(7 2 w : 7 2 r)). 

• Case: Rule 2.47 

T, x:t' b t" 

r b 

Same argument as for II kinds in Theorem 5.3.10. 

• Case: Rule 2.48 

r, x:t' b t" 
r b (x:t')xt" 

Same argument as for E kinds in Theorem 5.3.10. 

• Case: Rule 2.49 

T, a::K b r 
T b V«::Kt 


There is a strict subderivation, F I K. so by substitution and functionality we have 
Ai b 71 K, A 2 b 7 2 K, and A] b 7 \K = 72 K. Assume A\ D A\ and A" D A] and 
Aj b A\ = A 2 :: 71 K. Then (Aj;7 i[o'>-*Ai]; T, a::K) is (A"; 71 [ai-^A 2 ]; T, a::K). By the 
inductive hypothesis, (A\; (7 i[«i->Ai])t) is (A"; (7i[o^A 2 ])r). That is, 

(Aj; [Ai/a](7i[oi->a]r)) is (A"; [A 2 /a](7i[aH->o]T)). Thus (Aj;71 (Va::Ff.r)) valid. Similar 
arguments show that (A 2 ;7 2 (Va::A'.r)) valid and (Aj;7i(Vo::Ff.r)) is (A' 2 ; 7 2 (Va::iCT)). 
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Type Equivalence: r b t\ = x 2 . In all cases, by validity and substitution we have A] b 7^x1 and 
A2 b 72T2 and by functionality we have Ai b 71X1 = 72T2. 


• Case: Rule 2 . 50 . 


By the inductive hypothesis. 
• Case: Rule 2 . 51 . 


rbx 

r b x = x 


r b t' = x 

r b x = t' 


By symmetry, (A 2 ; 72 ;r) is (Ai; 7 i;T). By the inductive hypothesis, {A 2 \^ 2 t') is (Ai; 7 ix). 
By Symmetry again, (Ai; 7 ix) is (A 2 ;72 t')- 

• Case: Rule 2.52. 

r b t\ = x 2 r b x 2 = x 3 
r b xi = x 3 

Same proof as for transitive rule for constructor equivalence in Theorem 5.3.10. 

• Case: Rule 2.53. 

T b Ai = A 2 :: T 

r b TMlpj = t \,( a 2 ) 

By functionality, Ai b 71 A 1 = 72 A 2 :: T, so by Lemma 7.1.11, 

(A i; Ty^M) is (A 2 ; Ty{ l2 A 2 )). 

• Case: Rule 2.58. 

T b Ai :: T T b A 2 :: T 
T b Ty[A\ xA 2 ) = 3V(A 1 )x3V(A 2 ) 

First, Ai > 7 1 (T«/(A 1 xA 2 )) Ty^A^x Ty(^iA 2 ) and 

A 2 >j 2 (Ty(A l )xTy(A 2 )) Jj. Ty{^ 2 Ai)x Ty(j 2 A 2 ). By functionality, Ai b 7 iAi = 72 A 1 :: T 
and Ai b 71 A 2 = 72 A 2 :: T. By Lemma 7.1.11, (Aj; Ty{^\Ai)) is (A 2 ; Ty(^ 2 Ai)) and 
(Ai; Ty{jiA 2 )) is (A 2 ; Tt/( 7 2 A 2 )). 

• Case: Rule 2.59. 

r b Ai :: T T b A 2 :: T 
T b 7fy(A 1 - A A 2 ) = Ty(A 1 )-^Ty(A 2 ) 

Analogous to the proof for Rule 2.58. 

• Case: Rule 2.54. 


r b xi = x 2 T b v\ = v 2 : t\ t\,t 2 not a singleton 
r b S(U! : n) = S(u 2 : x 2 ) 


By the inductive hypothesis, (Ai;71*7;71X1) is (A 2 ;72^2;72^1) and (A 2 ;72Ti) is (A 2 ;7 2 T2). 
By Lemma 7 . 1 . 5 , (Ai;7 2 u 2 ;72T2) valid and (Ai;7117;71X1) is (A 2 ;72^2;72^2)- 

• Case: Rule 2 . 55 . 

r b t[ = r, x:t[ b t” = t" 

T b (a::x{)^xf = 

As in the proof for II kinds. 
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• Case: Rule 2.56. 


F l~ r{ = rj r,.r:n 

F h (itOxt" = (rrjjxr" 

As in the proof for S kinds. 

• Case: Rule 2.57. 

r b ATj = K 2 r, auAT] h n = r 2 

rh VouKj.n = \fa::K 2 .T 2 

Analogous to the proofs for the previous two rules, also using functionality to show 
Ai h 71 iC = 72 ^ 2 . 


Subtyping: T H ri < t 2 . In all cases, by validity and substitution we have A] h 71 rj, A 2 h 72 T 2 , 
A] h 71 t\ < 7 iT 2 , and A 2 h 72 T 1 < 72 T 2 . By functionality we have A] h 71 tj < 72 T 2 . 

• Case: Rule 2.60 

T h n = t 2 

r h n < r 2 

Let Aj D Aj and A 2 2 A 2 and assume (Aj;ni; 7 iT]) is (A^; n 2 ;72 ti). By the inductive 
hypothesis, (A',; 7 iTi) is (A^; 717 - 2 ) and (A 2 ; 72 Ti) is (A 2 ; 72 T 2 ). By Lemma 7.1.5, 
(A' 1 ;wi;7it 2 ) is (A' 2 ;n 2 ;7 2 T 2 ). 

• Case: Rule 2.61 

rhn <r 2 rhr 2 <T 3 

r h n < T 3 

Obvious by inductive hypothesis that (A^^^ti) is (A 2 ; ?; 2 ; 72 Ti) implies 
(Ai;ui; 7 ir 2 ) is (A' 2 ;t; 2 ; 7 2 T 2 ) which implies (Ai;ui; 7 iT 3 ) is (A 2 ;w 2 ; 72 r 3 ). 

• Case: Rule 2.62. 

r b w : r r not a singleton 
T h S(w : r) < r 

Let A[ D A\ and A 2 3 A 2 and assume (Aj; v\; S( 7 iw : 7 ir)) is (A 2 ; ?; 2 ; S( 7 2 w : 7 2 t)). 
Then by definition of the logical relation, (A^; v\; 71 r) is (A 2 ; v<i\ 7 2 r). 

• Case: Rule 2.63 


rhS(fm :n) 

r b w\ = ?i / 2 : t 2 T b T] < t 2 
T h S(u>i : ri) < S(w 2 : r 2 ) 


(ri,r 2 not a singleton) 


Let A[ D A] and A 2 D A 2 be given, and assume 

(A , i;ui;S( 7 i«>i : 71 T 1 )) is (A' 2 ; v 2 ; S{y 2 n’i =72n))- Then (Aj; vi;7iu) is (Ai^wi^in) 
and (A 2 ;n 2 ; 72 '?'i) is (A 2 ; 72 «'i ;72 ti) and (Ai;vi; 7 iTi) is (A 2 ; 72 ri). Using the inductive 
hypothesis we have (A / 1 ;vi; 7 ir 2 ) is (A , 1 ; 7 iu>i; 7 it 2 ), and (A^;u 2 ; 72 T 2 ) is (A^^wjjt^), 
and (A' 1 ;wi; 7 ir 2 ) is (A 2 ;n 2 ; 72 T 2 ). Again by the inductive hypothesis, 

(Ai; 7 i« 7 i; 7 ir 2 ) is (Ai; 7 i «; 2 ;71 r 2 ) and (A , 2 ; 7 2 wi; 72 T 2 ) is (A? 2 ; 72 ^ 2 ; 72 r 2 ). By transitivity, 
(AJ;«i; 7 it 2 ) is (Ai; 7 iw 2 ; 7 ir 2 ) and (A' 2 ;v 2 ; 7 2 t 2 ) is (A' 2 ; 72 W 2 ; 7 2 t 2 ). Therefore 
(Ai;ui;S( 7 it »2 : 71 r 2 )) is (A 2 ; n 2 ; S( 7 2 w 2 : 7 2 t 2 )). 
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• Case: Rule 2.64. 


T b (: x:t[)xt[' 

r H T2 < T,x:t£ I- rf < 

T b (a::rO-rr < (s:t£)-t? 

Same proof as for subkinding of II kinds. 

• Case: Rule 2 . 65 . 

F b (x'.t^xt^ 

r b t[ < T2 T , x\T\ b t" < r " 

T b {x:t[)xt'{ < (x:t£)xt% 

Same proof as for subkinding of E kinds. 

• Case: Rule 2 . 66 . 

r b \/a::Ki.ri 

r b K 2 < Xi r, a::K 2 T\ < r 2 
F b Va::RTi.ri < \/a::K 2 .r 2 
Analogous to the proof for function types. 

Term Validity: Their. In all cases, by validity and Substitution we have Ai b 7^ : 71 T\ and 
A2 b 72e : 72T. By functionality we have Ax b 71 e = 7 2 e : 71T. 

• Case: Rule 2.67 

Tbok 
r b n : int 

Recall that int = Ty( Int). Now A* > int Jj- int, and A* > n A* > n, and Ai > n A 2 > n. 
Since (Ai;int) is (A2;int), we have (A*; n; irit) valid and (Ai;n;int) is (A2;n; int). 

• Case: Rule 2.68 

T bok 

rbr : T(a:) 

By the assumptions for 71 and 72. 

• Case: Rule 2.69 

r,f:{x:T')^T",x:T' b e : t" 

T b fun f(x:r'):T" is e : (x:t')^t" 

There are strict sub derivations T b (x:t')—^t" and by inversion, T b t' and F , x:t' b t" . By 
the inductive hypothesis, (Ai; 7 it') is (A2; 721"') and 
(Ai;7i((a::T')- A T")) is (A 2 ;7 2 ((a;:r , )- i r")). Then 
(Ai,/:7i((a::r , )^r"),a;:7i'r';7i[/ | -^/][^ | ->2 ; ];r,/:(x:r')- A T ,, ,a::r / ) is 
(^2,/:72((a ;: 7' , )^' ^,, )) ;r: 72'^';72[/ | -t/][a:l->•a:];^,/:(a::T')- A T' / ,a::T , ). By the inductive 
hypothesis, Al,/:7l((a::T , )- A '^ ,, ),a;:7lr , > (71 [f^f][x^-x])e <t 7 

A2, f ^r"),x:'y2T' > (72[/ l- t/][® | -t®])e. Similarly, by the inductive hypothesis 

(Ai,o;:7it'; (7i[q:i-4q:])t ,/ ) is (A 2 , (7 2 [a>-Hx])T"), so 

Ai, x:jit' > (71 [a^a])r" & A2,x:72t' > (72[at->a])r". Therefore 
Ai > 71 (fun f(x-.r'):T" is e) A2 > 72(fun/(: c:t'):t" is e), so 

(Ai;7i(fun/(a::T , ):r" is e); 7 i((;r:T')-^T")) is (A 2 ; 7 2 (funis e); 7 2 ((*:t')-V'))- 
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• Case: Rule 2 . 70 . 


T, a::K he:r 
Th A(a::K):r.e: Vav.K.r 
Analogous to previous case, using 

(Ai,ay.7iK;j\[a\-^a]:T,a::K) is (A2,0^:72 if ;72[o^o{];r,o;::if). 

• Case: Rule 2 . 71 . 

FH;j: n Fh v 2 : 77 
r b (vi, v 2 ) : 77 xr2 

By the inductive hypothesis. (Ai;7i?7;7iTi) is (A 2 ; 72 '? 7 ; 7 2 ti) and 
(Ai; 71^2;71^2) is (A2; 72^2; 72^2)- By Lemma 7 . 1 . 8 , we have 
(A 1 ; 7 ri( 7 iw 1 , 7 i?; 2 ); 7 in) is (A 2 ; 7 Ti(7217,72^2);72n). and 

(Ai;7r 2 (7i?7,71^2);71T2) is (A 2 ;7 t 2 (72v 1, 72 ^2); 72 T2)• 

• Case: Rule 2 . 72 . 

T h u : (x:T f )xr n 
T \~ 7 T\V : r f 

By the inductive hypothesis, (Ai;71?;;7 i((.t:t')xt")) is (A 2 ;72^;72 ((^:t , )xt w )). Thus 
(Ai;7ri(7iu);7ir') is (A 2 ; 7 ri( 72 t;); 7 2 T'). 

• Case: Rule 2.73 

Thu: (rr:r') xt" 

T b 7 t 2 v : ['K\vjx]T n 

By the inductive hypothesis, (Ai;7iu;7i((.7::r / )xr // )) is (A 2 ; 7 2 ?7 7 2 ((.x*:t')xt")). Thus 
(Ai; 7 t 2 ( 7 i^);Ti is (A 2 ; 7 r 2 ( 72 v); 72 (kiv/a:]r ,/ )). 

• Case: Rule 2 . 74 . 

r b v : r'-V' Fhi/: r' 
rhvv , :r" 

By the inductive hypothesis and definition of the logical relations, A] i> ^\v A2 > 72 v and 
Ai > r y\v f A2 > 72?/. Thus Ai > 71 (1;?/) A2 > 72^ v f ). 

• Case: Rule 2.75 

T b v : Va::if.r T h 4 :: A" 

F h r 4 : [A/a]r 

By the inductive hypothesis and the definition of the logical relations, A] >71?; A2 > 72 w. 
That is, Ai > 71?; Jj- 7*7 and A 2 > 72^ ft w 2 and A] t> o A 2 w 2 . By substitution, 

Ai b 71?; : 7i(Va::if.r), so by soundness of weak head reduction we have 

Ai b 7/7 : 7i(Va::AT.r). Let A] b K7 : L\. Then Ai b Li $ < 7i(Va::if.r) by Lemma 6 . 3 . 1 . 

By Theorem 6 . 2 . 3 , L = Mav.L^.a” with Ai b 71 if < Similarly, A 2 >^2 If Vo 
with A 2 b 72 if < Now either both K7 and w 2 are paths or they are are both 

polymorphic abstractions. I11 either case, A\ b \/a::L\.a” = ^/ar.L^a^. By Theorem 6.2.2, 
Ai hij = L!>. Then A] b 71A = 72A :: 71 if by functionality, so Ai b 71 A = 72A :: 71by 
subsumption. Then Ai 0 71A :: 71 if & A 2 > 72A :: 72if by the completeness of constructor 
equivalence, and therefore A] > 71 (i> A) 4 $ A 2 > 72(u A). 
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• Case: Rule 2.76 


T h e' : r' T, x:t' he:r T h r 
T h (let x:r'=e f in e : r end) : r 

By the inductive hypothesis and the definition of the logical relations, Ai >j\e f 4 ^> A2 >726'. 
There is a strict subderivation T h r'. By the inductive hypothesis (Ai;7it') is (A2;72 T , ) j 
so by Lemma 7 . 1.12 we have Ai > 71 r' A2 > 7 2 t'. Similarly, Ai > 71 r 44 > A2 > 72T. Finally, 
using Corollary 7 . 1.10 we have (Ai,a::7iT / ;7i[aM-a];r,a::r / ) is (A2,a;:72r / ;72[tt^Of];r,rr:r / ), 
so by the inductive hypothesis Ai,rr:7ir' t> (ji[ah-^a])e A 2 ,£:72t' t> (72 [o?h->ct]) e* 

Therefore Ai >71 (let x:r f =e ' in e : r end) A2 >72(let x:r l =e f in e : r end). 


Term Equivalence: T h ei = e2 : r. All these cases are straightforward, similar to cases already 
proved. I 

Lemma 7.1.14 

1 . J/FI- ok then (T; id; T) valid where id is the identity function. 

2 . J/r h ok (F;id;T) is (r;id;T) where id is the identity function. 

Proof: 

1 . By induction on the proof of T h ok. 

• Case: Empty context. Vacuous. 

• Case: T, a::K h ok because Th K. 

By the inductive hypothesis and monotonicity. 

• Case: T, x:r h ok because Thr. 

(a) By Proposition 3 . 1 . 1 , Thr, and F F ok. 

(b) Also, x 0 dom(r). 

(c) By the inductive hypothesis, (T; y; T(y)) valid for all y G dom(r) and 
(F; a; T(a)) valid for all a G dom(r). 

(d) By monotonicity, ( T,x:r;y ; ((r, x:r)y)) valid for all y G dom(r). and 
(r,x:r;a; ((r,#:r)a)) valid for all a G dom(r). 

(e) By Theorem 7.1.13, (T;r) valid 

(f) and by monotonicity (T, £c:r;r) valid 

(g) Now by Corollary 7.1.10, (T,x:t;x‘,t) valid. 

(h) Hence (r,x:r;id;r, x:r) valid. 

2 . By part 1 and reflexivity. 

I 

This yields a completeness result for the symmetrized algorithm: 

Corollary 7.1.15 

1. J/rbri = r 2 then (T;ti) is (r;r 2 ). 

2. //rhei = e 2 :r then (Tjeijr) is (r;e 2 ;r). 

3 . If T F n = T2 then T > ti T t> r2. 
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4 . If r h e\ = e2 : r then T > e\ T > e 2 . 


Proof: 

1,2 By Lemma 7 . 1 . 14 , wc can apply the Theorem 7 . 1.13 with 71 and 72 being identity 
substitutions. 

3,4 Follows directly from parts 1 and 2 and the definition of the logical relations. 

I 

Again, use of a size function for algorithmic equivalence (number of non head-normalization 
rules used) allows the proof to be transferred to the original equivalence algorithm. 

Theorem 7.1.16 

1. If b T] = r 2? Ti \~ a : t, T 2 h e 2 : r, a??<d T\t>e\ & r 2 > e 2 then Id > e\ e 2 . 

// b Ti = r 2? T] b ei : r, r 2 h e 2 : r, and T \t> e\ F 2 > e 2 then T] > rq e 2 . 

S. If b Ti = r 2 , Ti h ri, r 2 h r 2 . and T\ > t\ & P 2 > t 2 then T\t> t\ <^> r 2 . 

7/1— r 1 = r 2 , Ti b 77, r 2 h t 2 . and Tj > ti T 2 > r 2 then Pi > 77 r 2 . 

Corollary 7.1.17 (Completeness for Type and Term Equivalence) 

1 . If T \~ e\ = e 2 : r T t> ej e 2 . 

S. // T h ri = t 2 then r > 77 4=> t 2 . 

Theorem 7.1.18 

1 . // T > ri <=*► 77 and r > r 2 ^ t 2 then it is decidable whether T > 77 r 2 . 

J0. // T i> ei <=> ei and T > e 2 ^ e 2 it is decidable whether r t> <7 e 2 . 

Corollary 7.1.19 (Decidability of Type and Term Equivalence) 

1. If T b t\ and F h r 2 then it is decidable whether T h n = t 2 . 

//rhei :r and T h e 2 : r then it is decidable whether T h ei = e 2 : r. 

Proof: Follows from Theorem 7 . 1.18 and by soundness and completeness of the equivalence algo¬ 
rithms. I 


7.2 Completeness and Decidability for Subtyping and Validity 

Given completeness for term equivalence, proving completeness of the subtyping algorithm would 
be straightforward if it were not for transitivity (Rule 2 . 61 ). Proving transitivity of the algorithm 
requires some care because of polymorphic types, and the fact that changes to kinds in the typing 
context affect type head-normalization. 

Reflexivity, in contrast, is direct 

Lemma 7.2.1 

If T h r then T > r a and T > o C a (i.e . 7 F > r < r). 

Proof: By induction on the proof of F h r, using correctness of the term, kind, and constructor 
equivalence algorithms. I 

Proving transitivity requires showing that the algorithm obeys a weakening property: types in 
the context can be replaced by subtypes, and kinds in the context can be replaced by subkinds. 
Half of this is straightforward: 
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Lemma 7.2.2 (Algorithmic Weakening for Term Variables) 

Assume r' b 02 < c\. 

1 . IfY f ,x:a u Y” b v\ : r and T', x:&i, T" b ^2 : t andr',£:<Ti,<£> ^2 then Y f ,x:a2,Y ff >vi <£> 
t> 2 - 

JS. //r',a;:cri,r" t- ti and Y',x:ai, F" b T2 and Y f ,x:ai, Y f/ > ri T2 then T', 2:02, T" > ri T2. 

5 . //T',:r:0i,r" b ri and r" b T2 and Y f ,x:ai,Y ff > t\ E r2 then Y',x:a2,Y" > n E r 2 . 

J/r / ,a::ai,r"hri and r',x:< 7 i,r" b T2 and T', ®:ai, T" > n < r 2 then Y',x:<j2,Y r/ >t\ < r 2 - 

5 . //T', T" b ok and F', ar.ai, T" > r then T', £:< 72 , r" t> r. 

£. //r',x:cri,r" I- ok and Y f ,x:cri,Y n >e 4 r then Y r ,x:a2>Y ,f 1 > e =4 r. 

7 . If r', x:ai, T" b r and T', a;:< 7 i, T" i> e £= r ^en T', £:< 72 , T" > e 1 = r. 

Proof: 

1 , 2 . By soundness and completeness for type/term equivalence, and Corollary 3 . 2 . 8 . 

3 , 4 . By induction on algorithmic derivations and part 1 . (For part 4 , note that 
head-normalization of types is completely unaffected by the type of £.) 

5 - 7 . By induction on algorithmic derivations and part 4 . 

I 

However, modifying kinds in the context affects head-normalization of types, and hence it is 
harder to show that algorithmic subtyping is preserved when kinds in the context are made more 
specific. 

I solve this problem with a two-step process. First I prove soundness and completeness for the 
algorithm applied to the subset of types not containing the universal quantifier. I then use this to 
show the required weakening property, which then allows a proof of full transitivity. The success 
of this method depends critically on the predicativity of MILo- 

First, any two related types either both contain a universal quantifier, or neither do. 

Proposition 7.2.3 

1 . IfY b 7*1 = t2 then r\ contains a V if and only if T2 contains a V. 

8 . //Fb Tl < T2 then r\ contains a V if and only if r 2 contains a V. 

Proof: By induction on derivations. I 

Lemma 7.2.4 (Pre-transitivity of Algorithmic Subtyping) 

Assume T\, T2, and 73 contain no V 7 s, and that Y b n, Y b 72, and Y b 73. 

1 . If Y T\ E 72 and Y > 72 E 73 then Y > t\ E 73. 

2 . If Y > ri < 72 and T > T2 < T3 then Y > T\ < 73. 

Proof: By simultaneous induction on size(Y ; r\) + me (T; 7*2) + me(T; 7-3). 

1. • Case: Yt> Ty(A\) E Ty(A 2 ) E ^(^3). By transitivity of the constructor equivalence 

algorithm. 

• Case: Y > S(tq : r{) E S (^3 : r 2 ) E S(u 3 : 73 ). By the inductive hypothesis, Y > r[ < 73. 
By the correctness of algorithmic term equivalence, Y >v\ U3. 
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• Case: T i> S(wj : rj) C S(w3 : t 2 ) C T3, where T3 is not a singleton. By the inductive 
hypothesis, F i> t[ < 73. 

• Case: T > S(wi : rj) C r2 C 73, where r 2 and 73 are not singletons. By the inductive 
hypothesis, r > t[ < t 3 . 

• Case: T> C (x:t 2 )^t 2 C -t". By the inductive hypothesis, 

For.' < t[ . By Lemma 7 . 2 . 2 , T, x:t$ > t[' < t". so by the inductive hypothesis we have 
r, x\t! a > r[' < r". 

• Case: T> (x:r[ )x t[' C (x:t 2 )xt 2 C (x-.t^xt.". Analogous to previous case. 

2 . By part 1 . 


■ 


Lemma 7.2.5 

Assume t\ and T2 contain no V’s. 

1 - If T\ = Ty{A\), t- 2 — Ty{A2), and r h A\ = A-i :: T then Y > t\ < t2. 

2 . If r Y T] = T2 then T>ti JJ-CT], r > 72 cr-^, Tixti C 02, and Y > 02 C a\ (i. e., T > tj <72 and 

r > T-2 < T\). 

3 . IfY \- t\ <T2 then Y > t\ JJ. o\, Y > r2 -I) a 2 , and T > o\ Ccr 2 (i.e., r > t\ < t 2 ). 

Proof: 

1 . By induction on the common normal form of A\ and A 2 . 

2 3 . By induction on derivations, and part 1. Note that for the case of transitivity, by 

Proposition 7 . 2.3 the mediating term will contain no V’s and so the inductive hypothesis 
applies. 


I 


Lemma 7.2.6 (Algorithmic Weakening for Constructor Variables) 

Assume Y' \- < K\. 

1. IfY', a::Ki,Y" Y v\ : t, Y', a::K],Y" I- V2 ■ t, and Y',a::K ], T" t> V2 then Y', a:\K2, Y" t> 

Ui <^> V 2 - 

2 . IfY', a::K\, Y" h T\, r', a::K\, r w Y T2, and Y' ,o:\K\, Y"\>t\ T2 then T', a::K2, Y">t\ O 75. 

3 . IfY',a::Ki,Y"\~Ti, Y',a::K\,Y" Y T2, and Y',a::K],Y">T] C T2 then Y', a:\K2, Y" t> t\ C t-2- 

4 ■ IfY',a::K\,Y"YT\,Y',a::K\,Y"YT2, andY',a:\K\,Y" >t\ <72 then Y', a:\K2, Y" t\ <T2- 

5 . If Y',a::Ki,Y" Y ok and Y',a::K\,Y" \> t then Y',a:\K2, Y" > r. 

6 . If T', a::K\,Y" Y ok and T', ar.:K \, T" > e =3 r then T', a::K2, r" t> e r. 

7 . If T', a::K\,Y" h r and Y',a::K\,Y" > e t= t then Y',a::K2,Y" t> e t= t. 

Proof: 

1 , 2 . By soundness and completeness for type/term equivalence, and Corollary 3 . 2 . 8 . 

3 . Proved simultaneously with part 4 , by induction on algorithmic derivations. 
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• Case: T', a::K\, Y" t> Ty(A\) C Ty(A 2 ). By correctness of the constructor equivalence 
algorithm and Corollary 3 . 2 . 8 . 

• Case: T', a::Ki,T" > S(?q : r{) C S(w2 : t 2 ). By the inductive hypothesis 
r', n::K'>. Y" > r[ < t 2 . By correctness of term equivalence algorithm and 
Corollary 3 . 2 . 8 , T', a::K 2 ,Y" > v\ «=> v 2 . 

• Case: T', a::Ki,Y" > S(ux : r{) C T2 where T2 is not a singleton. By the inductive 

hypothesis T', a::K 2 , Y" > < t 2 . 

• Case: T', a::Ki, Y" > (x:t[)—^t" C (x:t 2 )-^t 2 - By the inductive hypothesis, 
r, a::K 2 , Y" t >t' 2 <t[ and Y 1 , a::K 2 , Y", x\t ' 2 > r," < t%. 

• Case: r / ,a::A’i,r" t> (x:t[)xt[' C (x:t 2 )xt 2 . Analogous to previous case. 

• Case: T', ot::K\, Y" > C \/a::K 2 .T 2 . By correctness of algorithm subkinding 

and Corollary 3 . 2 . 8 , T', a::K 2 , Y" > K 2 < K[ and by the inductive hypothesis, 
T',<r.:K 2 ,T",or.:K' 2 »T'{<TZ. 


4 . 


• Case: t\ and t 2 contain V. 

(a) Then neither type is of the form Ty(A), 

(b) so T', a::Ki,T" > n ^ n, Y', a::K u Y" > r 2 $ r 2 , Y', olv.K 2 , V" >n| n, and 
T', a::K 2 , Y” t> r 2 JJ- r 2 . 

(c) By part 3 we have T', a::K 2 , T" > t\ Q t 2 , 

(d) so T', a::K 2 , Y" > t\ < t 2 . 


• Case: neither t\ nor t 2 contains V. 

(a) By assumption T', a::Ki, T" > t\ (1 a i, T', a::Ki, Y" > t 2 Jj- a 2 , and 
T', a::Ki,T" > C < 72 . 

(b) By part 3 , T', a::K 2 , Y" t> ct\ C 02. 

(c) By Lemma 6 . 2 . 1 , Y' ,or.:Ki,Y" b t\ = a\ and Y' ,a::K\,Y" b r 2 = CT2- 

(d) By Corollary 3 . 2.8 and completeness of the type equivalence algorithm 
r, a::K 2 , Y" > n $ a[, Y', a::K 2 , Y" > r 2 ^ a' 2 , Y', or.:K 2 , T" b r x = a[, and 
T', a::K 2 , Y" hr 2 = a 2 . 

(e) By Corollary 3 . 2.8 and transitivity, Y 1 ,a::K 2 ,Y" b o\ = a[ and 
Y',a::K 2 ,Y"ha 2 = a' 2 . 


(f) By Lemma 7 . 2 . 5 , T', a::K 2 ,Y" > o\ < a\ and T', a::K 2 , Y" > a 2 < a 2 . 

(g) Since Y',a::K 2 ,Y" > o\ < a 2 , by Lemma 7 . 2.4 applied twice we have 

Y',a::K 2 ,Y H >Oi < a' 2 . 

(h) But a[ and a 2 are head-normal, so T', a:\K 2 , Y" > a[ C a 2 . 

(i) Therefore T', a::K 2 , Y" > t\ < r 2 . 


5 - 7 . By induction on algorithmic derivations and part 4 . 


I 


Given this weakening property, I can now show the full transitivity result for algorithmic sub¬ 
typing. I show only one case of the proof, because all the others are exactly the same as in the 
proof of Lemma 7 . 2 . 4 . 

Lemma 7.2.7 (Transitivity of Algorithmic Subtyping) 

Assume T b r\, T b t 2 , and T b T3. 
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1. If r > r\ □ T 2 and F o t<z E T 3 Men T > tj [I 73 . 

£ If F > ri < 72 and r > r 2 < r 3 Men r > ri < T 3 . 

Proof: By induction on size (F; T i) + sizc(T;r 2 ) + size(r;r 3 ). 

• Case: r>Va::^'.r 1 " jZ 'ior/.K^.r" Q VanK^.r^. By the transitivity of the subkinding 
algorithm, F > K 3 < jFTJ. By Lemma 7.2.6 have we T, or.:K^ > rj 7 < r!f. By the inductive 
hypothesis, T, a::K% > 7" < 7 ". 

I 

At this point I have shown that the subtyping and kind equivalence algorithms are transitive 
on well-formed types. At this point, completeness of the remaining type and term algorithms is 
straightforward. 

Theorem 7.2.8 (Completeness for Subtyping and Validity) 

1. If T b r then F > 7. 

2. If T b 7 i < 72 then F > T\ < 72. 

5 . If T b 7 i < T2 and t\ and 72 are head-normal then F 0 71 □ 72. 

If F b e : 7 then T > e =3 <7 and F t> e a. 

5. Jfrhe: 7 Men T o e fcz 7 . 

Proof: By simultaneous induction on the hypothesized derivations, using the completeness of the 
type and term equivalence algorithms, and transitivity of algorithmic, subtyping. I 

Theorem 7.2.9 

L If T b 7 ] and F b 72 then it is decidable whether F > T\ □ 72 

2. If T b T\ and F b 72 Men it is decidable whether F > r\ <72 

3. If r b ok then it is decidable whether F \> r is provable. 

4 . If F b ok then it is decidable whether F > e =t 7 holds for some 7. 

5. If T b 7 and e is given then it is decidable whether F d> e 7 is provable. 

Proof: 

1,2. By induction on size{F]T\) + size(F; r 2 ), invoking the decidability of term equivalence and of 
type head-normalization. 

3-5. By simultaneous induction on the textual size of 7 , e, and e respectively. 

■ 


Corollary 7.2.10 (Decidability of Subtyping and Validity) 

1 . IfF b ok then it is decidable whether F b 7 is provable . 

2. If T b r\ and F b 72 then it is decidable whether F b T\ <72 

3. //Fb ok then it is decidable whether F b e : 7 holds for som,e r. 

4• If F b 7 and e is given then it is decidable whether F b e : 7 is provable. 
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7.3 Antisymmetry of Subtyping 


By taking advantage of the algorithmic form of subtyping — which contains no transitivity rule — 
subtyping can be shown to be antisymmetric. 

Lemma 7.3.1 

Assume F b n and F h 72. 

1 . If T > r\ < T 2 and r > 72 < Ti then F > ri T 2 - 
£. If T > rx E T2 and F > r 2 E ri then F i> ri «-» 7*2. 

Proof: By simultaneous induction on the size of the hypothesized derivations. 

Note that by soundness, r h ri < 72 and r h 72 < ri. 

1 . (a) By inversion, T > ti ^ <ti, F t> T2 o"2, T xji E 0*2 and r > o 2 Cap 

(b) By the inductive hypothesis, T > <ji <72- 

(c) Thus T > T\ T 2 . 

2. • Case: F > Ty(A x ) E T?/^) and T > Ty(A 2 ) E T?/(Ai) because T > Ap A 2 ” T and 

F > A 2 <=> Ai :: T. Then F > Ty(A\) ++ Ty(A 2 ). 

• Case: T > S(v x : r\) E S(r>2 : 72) and T > S(u2 : r 2 ) E S(v\ : t\) because F > n < T2, 

T > r?i U 2 , T > 72 < ri, and F e> ^2 ^ ^l- 

By the inductive hypothesis, T > 7i r 2 , so F > S(v\ \ r\) S(u 2 : 72 ). 

• Case: F > (x:r[)^r x E (x:^)—and F > E because F >r{ <r 2 

and T, x:r 2 > r” < r 2 and Ft> r 2 < r[ and T, x:r{ 0 r 2 < t". 

(a) By the inductive hypothesis, F\>r[ <£> r 2 . 

(b) By completeness, F,x:r[ > t” < r 2 . 

(c) By the inductive hypothesis, F,x:r[ > r” r 2 . 

(d) Thus T t> (x:t[)-±t” (x:r 2 )~^r 2 , 

• The remaining two cases are similar. 

I 


Proposition 7.3.2 (Antisymmetry of Subtyping) 

If F b n < T2 and r b T2 < 7*1 then F F ri = r 2 . 

Proof: By soundness and completeness of the subtyping algorithms and by Lemma 7.3.1. I 


7.4 Strengthening for Term Variables 

From the correctness of the algorithmic judgments I now derive a strengthening property for term 
variables. I show that all of the judgments in the definition of MIL 0 are preserved under dropping 
of apparently-unused typing hypotheses for term variables. 

However, recall that in the presence of transitivity rules strengthening cannot be proved directly 
by induction on derivations. For example, consider an instance of Rule 2.81: 

F u y:a, F 2 F e = e' : r F x ,y:a,F 2 F e r = e" : r 
Ti,y:a,T 2 h e = e" : r 
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And assume that y is not used in the conclusion (formally, that y 0 (FV(F 2 ) U FV(e) U FV(e") U 
FV(r))) It does not follow, however, that y ^ FV(e'); a priori, it might be that the equivalence of 
e and e n is provable only by equating both to a term involving y . Thus the inductive hypothesis 
cannot be applied to the premises. 

Also, the trick used for eliminating unused kind variables in §3.4 is not applicable here, because 
although every kind may be inhabited by a constructor, we cannot expect in general that every 
type is likewise inhabited by a value. 1 2 3 4 5 

However, the definitions of the algorithmic relations involve no transitivity rules, so here 
strengthening can be proved directly: 

Lemma 7.4.1 

If Y\,y\a,Y 2 t> J holds and y $ (FF(r 2 ) U FV{J)) then Y\.Y 2 *> J holds as well. 

Proof: By induction on the derivation Y\ y y:a. Y 2 > J. I 

By soundness and completeness of the algorithmic relations, the strengthening property can 
be transferred to the official MILo- This is easy, but not quite immediate. For example, suppose 
ri,y:a,T 2 F Ti < T 2 where y (dom(r 2 )UFV(ri)UFV( t 2 )). By.Completeness we have ri,y:a,r 2 > 
T\ < T 2 , and by Lemma 7.4.1 we have Fi,r 2 > ti < t 2 . However, we cannot simply conclude that 
ri,r 2 hr 1 < t 2 ; the statement of soundness requires that we previously know ri,r 2 F t\ and 

ri,r 2 hr 2 . 

Lemma 7.4.2 

If Ti, j/:cr, r 2 F ok and y £ FF(r 2 ) then ri,r 2 F ok. 


Proof: By induction on T 2 . 

First, note that if Y\,y:a, T 2 F ok then y $ FV(Fi). Then there are three cases for the form of the 
proof Ti, y:cr, r 2 F ok: 


• Case: T 2 = •. 


T] Fa 
Ti, y\o F ok 


XJ £ dom(r]) 


Then by Proposition 3.1.1, Ti h ok. 
• Case: T 2 = T' 2 ,q::K. 


ri.FT'hk 
ri, ?y:rr, T' 2 .,cr.-.K b ok 


{a g dom(ri,y:a, r' 2 )) 


1. By Completeness, ri, y\o , Y f 2 > K. 

2 . By Lemma 7.4.1, Ti, r 2 o X. 

3. By Proposition 3.1.1 and the inductive hypothesis, Fi,r 2 F ok. 

4. By Soundness, rx,r 2 F K. 

5. Therefore Ti, T 2 , a::K F ok. 

Actually, since all the base types mentioned are inhabited, every type in MILo is inhabited by a value. Because 
this property is not preserved when recursive types are added, I choose not take advantage of it. 
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x 0 dom(ri, y:a,T f 2 ) 


1. By Completeness, Pi ,y:cr, r 2 > r. 

2. By Lemma 7.4.1, r^T^or. 

3. By Proposition 3.1.1 and the inductive hypothesis, Ti,^ P ok. 

4. By Soundness, P^P^ P t. 

5. Therefore ri,r' 2 ,a;:r P ok. 


Theorem 7.4.3 (Strengthening for Term Variables) 

//ri,y:a,r 2 P J holds and y £ (FV(T 2 ) U FV(J)) then Pi,r 2 P J holds as well 

Proof: By Lemmas 7.4.1 and 7.4.2, and soundness and completeness of the algorithmic 
judgments with respect to the MILo definition. I show two representative cases: 

• Case: Ti,y:cr,T 2 P r. 

1. By Completeness, Ti, y:<r, P 2 > r. 

2. By Lemma 7.4.1, Ti, T 2 > r. 

3. By Proposition 3.1.1 and Lemma 7.4.2, Pi,r 2 P ok. 

4. By Soundness, ri,r 2 P r. 

• Case: Pi,y:cr, P 2 P n < r 2 . 

1. By Completeness, Pi,y:cr, T 2 >ri < r 2 . 

2. By Lemma 7.4.1, Ti, r 2 > r\ < r 2 . 

3. As in the previous case ri,r 2 P ok and Pi,r 2 P T\ and Pi,r 2 P r 2 . 

4. By Soundness, ri,P 2 P T\ < r 2 . 
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Chapter 8 


Properties of Evaluation 

8.1 Determinacy of Evaluation 

It is straightforward to show that evaluation in MILo is deterministic. 

Proposition 8.1.1 

1 . Given A, there is at m,ost one U and one instruction I such that A — U[I). 

2. Given e, there is at most one C and one instruction I such that e = C[I], 

Proof: By induction on A and e respectively. I 

Corollary 8.1.2 (Determinacy of Evaluation) 

If e i and e e 2 then e\ — e<i . 


8.2 Type Soundness 

Type soundness is informally the property that “well-typed programs don’t go wrong”. In a small- 
step operational semantics, soundness can be expressed as the combination of two principles: 

1. Type Preservation: If e is well-typed and e can take a step to e', then e' is well-typed. 

2. Progress: If e is well-typed then either e is a fully-evaluated value and execution is done, or 
else e can take a step to some e'. 

Put together, these guarantee that, when starting with a well-formed program, execution either 
terminates (yielding a fully-evaluated value) or execution goes on forever. Evaluation of well-typed 
programs cannot get “stuck” — reach a situation where no execution step applies but evaluation 
has not terminated. Examples of stuck programs would be 3(4) or 7Ti(fun/(x:int):int is x). 

Lemma 8.2.1 

1. If T b I :: K and I ^ R then Th R ::K. 

2. If T b I : r and I R then V b R : r. 

Lemma 8.2.2 (Decomposition and Replacement) 

1. If b C[e] : r then for some a, b e : a 7 and h e f : a implies b C[e f ] : t. 

2. If h C[A] : r then for some L, b A :: L , and b A f :: L implies b C[A r ] : r. 
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3. If b U[A\ :: K then for som,e L, b A :: L, and b A! \\ L implies b U[A!) :: K. 

Proof: By induction on derivations. I 

Corollary 8.2.3 (Type Preservation) 

If F b e :: r rmd e' then The':: r. 

Lemma 8.2.4 (Canonical Forms for Constructors) 

1. //hi:: then A = (A\a"). 

2. If h A :: then either A — Xar.L.A or else A — c.A\ ■ • • with n > 0. 

Proof: By induction on the kinding derivation. I 

Lemma 8.2.5 (Canonical Forms for Terms) 

Assume b v : r. 

1. If > int then v = n for some integer n. 

2. If t> 1/ (.t:t')xt" then v — {v f ,v f/ ) for some v f and v n . 

3. If > r $ J/ (x:r')-^r" then v = fun f(x:a'):a ff is e /or some a', a", and e. 

// > r $ J/ Var.K.r then v = A(a::L r ):L n .e for some L I/', and e. 

Proof: By induction on typing derivations, using Theorem 6.2.3 and Lemma 6.3.1. I 

Theorem 8.2.6 (Progress) 

1 . If b A :: K then A = A or A*->A f for some A'. 

2. If b e : r then e — v or e*->e f for som.e e f . 

Proof: By simultaneous induction on typing and kinding derivations, and cases on the last 
inference rule used. I show one representative case: 

• Case: Rule 2.25 

rbdj ::K r ^K" T b A 2 :: K 9 
r b Ai A 2 :: K" 

If A\ is not a constructor value, then by the inductive hypothesis A\ A \, so 
A\ A 2 ^ A\ A 2 . Alternatively, if A\ is a value but A 2 is not, then A 2 A^ and 
A\ A 2 ^ A\ A‘ 2 . Finally, assume A\ and A 2 are both values. Then by Lemma 8.2.4, 

A\ = cv [... v f n and so A\ A 2 is a value, or else A\ = Xa::K.A so that A\ A 2 ^ [A 2 /a]A. 


I 
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Chapter 9 


Intensional Polymorphism 


9.1 Introduction 

As discussed earlier, the TIL and TILT compilers use the intensional type analysis framework 
of Harper and Morrisett [HM95, TMC+96, Mor95]. Type constructors correspond to run-time 
values, and the language includes constructs which permit primitive recursion over constructors 
of kind T. I model these by adding two new constructs to the language: Typerec and typerec. 
The former is a constructor which does run-time analysis of constructors, while the latter is a 
term which does a similar run-time analysis. There are several applications for such constructs, 
both in implementing Standard ML (by, for example, using different array representations for 
values of different types) and elsewhere (e.g., implementing generic pretty-printing or marshaling 
routines) [HM95, TMC + 96, Mor95]. 

9.2 Language Changes 

9-2.1 Grammar 

Intensional type analysis adds two constructs to the language: Typerec allows primitive recursion 
over constructors to compute a type constructor, while typerec allows primitive recursion over 
constructors to compute a term value. 

Type Constructors A, B ::= 

| Typer ec[a.K]{A;A^;A ow ) 

Terms e,d::= 

| typerec[a.r] (A; e ~ x ; e ow ) 

For simplicity, the type analysis constructs considered here make only the distinction between 
those constructors which are (equivalent to) function type constructors, and the rest (the “other¬ 
wise” case). That is, I have restricted Typerec to allow the definitions for a function F :: Tiav.T.K 
of the form 

F(a i(* 2 ) = G(ai)(a2)(F(ai))(F(a2)) 

F(a) = H(a) if a is not equivalent to a function type constructor 

where G and H are arbitrary constructor-level functions of the right kind; this function F would 
be defined in the official syntax as 

A/?::TTyperec[a. #](/?; G; H). 
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A similar restriction is made for the term-level typerec. 

The most interesting aspects of constructs for intensional polymorphism are distinctions made 
between different constructors, primitive recursion, and the possibility of a default case. Extending 
Typerec and typerec to test for specific base type constructors or the product type constructor 
would not substantially affect the results of this chapter. 

9.2.2 Static Semantics 

The following rules must be added: 

Well-Formedness 

T b A :: T I\o::TbA 

T b A~^ :: n«i::T.n« 2 : : T.[oi/«]lif->[«2/a]X'->[(ffi- x «2)/«]^' 

T b A ow :: Uar.T.K 

- (9.1) 

T b Typerec[o.A](A: A^; A ow ) :: [A/n]K 

T b A :: T r>::T b r 

T b : Va:i::T.Va'2"T.[rti/rt]T— i [o'2/«]r— : ‘[(o']- i O'2)/rt]r 
r b e mv : Vo::T.r 

- (9.2) 

T b typerec[o.r](A; e - *; e°") : [A/o]t 


Equivalence 

r b A, = A 2 :: T T, a::T b K\ = K 2 
T b A^ = A^ :: n«i ::T.IIa2::T.[o:] /ot\K\ ——>[(«] -^a 2 )/a\K\ 

T b A®"' = Af 1 :: n«::T.A] 

T b Typerecfo.A^A,; A^; Af) = Typerec[o. Ab](A 2 ; A.J*; A!]"') :: [Ai/a]K\ 


T b A] :: T Y b A 2 :: T I\«::TbA 
T b A~" :: nai::T.no'2::T.[fti/o']A'—^o^/ojA'—>-[(«i- i n:2)/n']A 
T b A ow :: IIa::T.A 

T b Typerec[o.A^](A,--A 2 :A^; A ow ) = 

A^ (AO (A 2 ) (Typerec[«.A:](A 1 ; A^; A 0 "’))(Typerec[o.A:](A 2 ; A - *; A ow )) " [(A 


A 2 )/a]K 

(9.4) 


T b £[c] :: T c is not ->> T, a:: T b A 
T b A~^ :: nai::T.IIo:2 :: T.[ai/o']A—>[o2/c , ]A'->[(ai— i o , 2)/«]A’ 
T b A ow :: Ila::T.A 

T b Typerec[o:.A](<?[c]; A^; A ow ) = A ow (A) :: [A/a]K 


T b Ai = A 2 : T T, o::T b n = r 2 
T b eO = : Va] ::T.Vo' 2 ::T.[o:i/a]Ti^[o:2/a]Ti — 1i [(o'i- i O' 2 )/c!]Ti 

r b ef v = eff v : Vo::T.n 

T b typerec[a.r 1 ](A 1 ;eO;e? w ) = typerec[of.T 2 ](A 2 ; ; e!f) : [Ai/«]tj 


(9.6) 
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9.2.3 Dynamic Semantics 

The constructor-level and term-level evaluation contexts are each extended with one case: 


U::= ••• 

| Typerec [a.K](U;A^;A ow ) 
C ::= ••• 

| typerec [a.r](W; e"^; e ow ) 
and there are four new instruction reduction steps: 


Typerec[oi..ff](Ai-\A 2 ; A"^;A 0W ) 
Typerecfa.irKA; A^; A ow ) 


A^ (Ax) (A 2 ) (Typerec[ tt .tf](A i; A^; A ow )) 
_(Typerec[a. J ff](A 2 ;A- i ;A ow )) 
A ow (A), if A not of the form Aj—^A 2 


typerec[a.r](Ax- i A 2 ; e - ^; e ow ) 
typerec[o , .r](A; e^; e ow ) 


(Aj) (A 2 ) (typerec[a.if](A 1 ; e^; e ow )) 
(typerec[a.fT|(A 2 ; e^;e°' 8 ' 
' (A), if A not of the form A\— ^A 2 


0 ) 


9.3 Declarative Properties 

The proofs of Chapter 3 go through without any problems. Those proofs needing modifications 
merely require extra cases to be added for each of the new static semantic rules; these are straight¬ 
forward uses of the inductive hypotheses. Preserved properties include substitution, validity, and 
functionality. 

The reduction rule for Typerec is not admissible. However, it is interesting to note that the 
system comes very close to having an admissible extensionality rule for Typerec. Suppose this 
construct contained no kind annotation, as in the formulation of Harper and Morrisett [HL94]. 
The well-formedness rule would be little changed: 

r b A :: T T,a::T\~K 

T b A^ :: nai::T.na 2 ::T.[ai/a]jF!r— >[ 0 . 2 /oi\K—>{(oi\—^a. 2 )/oi\K 
r b A ow :: Ua::T.K 

T b Typerec(A; A^; A ow ) :: [A/a]K ' 

But assume now that T b / :: T —>L for some kind L, and FbA::T. By taking.K = S (f(a) :: L) 
in the above rule we can derive 


rbTyperec(A;Aai::T.Aa 2 ::T.A_::L.A_::L./(ai- i a 2 );Aai::T./(a 1 )) :: S(/(A) :: L), 

where I have used _ to denote function arguments which are not used in their body. It follows, 
then, that 


r b /(A) = Typerec(A; Aai::T.Aa 2 ::T.A_::L.A_::Z,./(o:i^a 2 ); Aq: 1 ::T./(q: 1 )) :: L. 
This is exactly analogous to the standard extensionality rule for sum types [Mit96]: 

f(z) = (case z of ini x => /(ini x) | inra; =>• /(inr x)). 
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9.4 Algorithms for Constructors and Kinds 

To make the following algorithms readable, for any kind K I will use K n to stand for the kind 


If o' i :: T. II a 2 :: T. [a i / a] K — *• [o- 2 /«] K —> [ ( a 1 — k a 2 ) / O'] K . 


This is the kind of the function-type constructor arm of a Typerec whose kind annotation is [a.K], 

The principal kind for a well-formed Typerec is easily computed from the kind annotation: 

r > Typerec[a.K](A; A^; A°" ) ft S(Typerec[o.A](A; A 0 "’) :: \A/a\K), 

but actually checking that a Typerec is well-formed requires more work: 

T > Typerec[«.A](A; A - *; A ow ) [A/a]K if T, o::T >K,T>At= T, 

r >A^t= K a , and T > A™ t= Tlnr.T.K. 

I extend the notion of a constructor-level path to allow Typerec’s: 

£::= ••• 

| Typerec[o:.X](^; A~^\ 4°"’) 

Then the equivalence algorithm is extended with the following cases: 

Kind extraction 

r>Typerec[a.K](A;A^; A ow ) ft [A/a}K 

Weak head reduction 

r>£[Typerec[a.K](Ai^A 2 ;A^;A ow )]^ 

£[A- (ill) (A 2 ) (Typerec[a.K](^ 1 ;i4- i ;^ 0w ))(Typerec[o.K](>l 2 ; 

T > ^[Typerec[rt.K](A; A -1 ; A 0 "')] 

£[A 0W (A)[A/ot]K] if A not of the form A ] - i A 2 

Algorithmic path equivalence 

T > Typerec[a.Ki](p] ; Af"; A° w ) 

Typerec[o.K 2 ](p 2 ; A^; A™) t \pi/ a \ K \ if r , a::T > K\ «=> K 2 , T t> p\ +■> p 2 f T, 

T > A^ & A?::K a 

and T > Af Af :: n«::T.K. 

It is straightforward to show that soundness is preserved by the above modifications. 


9.5 Completeness and Decidability for Constructors and Kinds 

The revised version of path equivalence is extended in the obvious fashion: 

D > Typerec[a.Ai](pi; A^; A°' v ) t ** 

r 2 > Typerec[a.A 2 ](p 2 ; A^; AJf v ) ft \p2/n]K 2 

if Ti, a::T i> K\ 44- T 2 ,a::T > K 2 , 

Ti>pi tT-H-r 2 >p 2 ftT, 

Ti > A^ :: K 2 a & T 2 > A^ :: K 2 a , 
and 

Tj > A° w :: na::T.Ki <s> T 2 > Af :: rirv::T.K 2 . 
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The logical relations, however, need not change. One point to be aware of, however, is that a 
path £[c] is no longer guaranteed to be head-normal, because of cases like 

Typerec[a.T](lnt;^;^ ow ). 

Thus, for example, parts 3 and 4 of Lemma 5.3.9 must be restricted to the case where either p\ 
and p2 and of the form £i[a] or else of the form £i[c] and head-normal. In all cases in which this 
t lemma has been invoked, one of these two cases holds. (For the same reason, Proposition 5.3.15 

must be restricted to the case in which £\[c\] and £2[02] are both head-normal.) 

With the addition of new kinding and equivalence rules for Typerec, two new cases must be 
* added to the proof of the logical relations theorem (Theorem 5.3.10). These cases follow from the 

following lemma: 

Lemma 9.5.1 

IfA 1 >A l ::T&A 2 >A 2 ::T, (A Vl A^;K 2 a ) is (A 2]A^;K 2 a ), and 
(A i; A? w ;na::T.FTi) is (A 2 ;A^;Ua::T.K 2 ) then 

(A i; Typerec [a.K 1 ](A 1 -,A?;Ary,[A 1 /a]K l ) is (A 2 ;Jyperec[a.K 2 }(A 2 ;A^-,Af’y,[A 2 /a}K 2 ). 

Proof: By induction on Ai > A\ :: T A 2 > A 2 :: T. 

• Ai t> A x JJ £i[0) and A 2 > A 2 $ £ 2 {0\, with Ai > £ x \p\ f T A 2 > £ 2 {/3] t T. 

1. Then Typerec [a.lCj(£i[/3];A^;A° w ) and Typerec[a.Ki](£ 2 [/3]; A^; A° w ) are 
head-normal. 

2 . The last assumption in the statement of the lemma implies 
(Aijna-T.Kx) is (A 2; no::T.JT 2 ). 

3. By Lemma 5.3.9 parts 1 and 2, we have Ai [> Typerec[a./fi](5 1 [/?]; Aj^; A° w ) t 
[SifflMK! O A 2 »Typerec[a.K 2 ](£ 2 [/3];A^; A§ w ) f [£ 2 [ 0 \/a\K 2 . 

4. By the same lemma we have (Ai; £\[(3]\ T) is (A 2 ; £ 2 [/3\; T), 

5. (A v,[£i\PV<*]Ki) is (A 2 ;[£ 2 [f 3 ]/a}K 2 ). 

6 . By Lemma 5.3.9 part 4, it then follows that 

(A i; Typerecfa.^!]^!^]; Ar; TD; [SM<x]K x ) is 
(A 2 ; Typerec [a.K 2 ](£ 2 [p]-, A?; A%"); [£ 2 [f 3 ]/a]K 2 ). 

7. Using Lemma 5.3.8 and Lemma 5.3.4 it follows that 
(A i; Typerec[a.K 1 ](A l ; A^; A? w ); [Ai/a]^) is 
(A 2 ; Typerec[a.i i C 2 ](A 2 ; A^ ; A §"); [A 2 /a]K 2 ). 

• Case: Ai > Ai JJ. £Ti[— =-] and A 2 > A 2 JJ. £ 2 [— "jAi > £\[~ '•J f T o A 2 t> £ 2 [— >■] t T. 

1. Since Ai > £\ [—*■] t T, it follows that Ai > Ai JJ- Aj-^A", and similarly that 
A 2 > A 2 JJ- A^—^A'y 

2. and that Ai > A\ :: T <3- A 2 > A ' 2 :: T and Ai > A'{ :: T A 2 > A” :: T. 

3. By the inductive hypothesis, then (Ai; Typerec[a.i’fi](A' 1 ; A^; A° w ); [A l l /a]Ki) is 
(A 2 ;Typerec [ a .K 2 ](A' 2 ] A?;A^y[A' 2 /a\K 2 ). 

4. and (A 1 ;Typerec[a.ii r i](A"; A^; A° w ); [A"/a]Xi) is 
(A 2 ; Typerec[a.tf 2 ](A"; A^ ; A§*); {^/a\K 2 ). 
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5. Therefore, 

(A 1 ;V(^)K)(Typerec[«.ir 1 ](^Mr;^r))(Typerec[«.X 1 ]K;^r;^ w ));K^ , i7«]^i) * 

(A 2 ;^(yl')(yl")(Typerec[«.X 2 ](^;Ar;^r))(Typerec[«.A' 2 ](^";^;yl-'));[A'-A"/«]K 2 ). 

6 . By Lemma 5.3.8 and Lemma 5.3.4, (Aj; Typerec[a.iFi](A]; Aj^; A®"'); [A\/n\K \) is 
(A 2 ; Typerec[a./F 2 ](A 2 ; A?-, Af); [A 2 /n]K 2 ). 

• A] > A\ JJ. S\[c] and A 2 > A 2 JJ- £ 2 [c] where c is not —4 Analogous to previous case, although 
there is no need to appeal to the inductive hypothesis for the “otherwise” case. 

I 

Then the remaining decidability results for the constructor and kind algorithms go through 
unchanged. Finally, the normalization algorithm must be extended with a new case: 

r>Typerec[«.Ar](p;A^; J 4°' v ) —5- Typerecfrv./f'](;/; A - * 7 ; A 0 " ') f \p/a]K 

if r,o::T> AT =4 K\ r>p::T=tp', 
r > A^ :: K° =4 A -1 ', 
and T > A 0 "’ :: Uar.T.K =4 A 0 " '. 

9.6 Algorithms for Type and Term Judgments 

In analogy with the notation for kinds, for any type r I write r a to represent the type 

Vai: :T.Va2: :T.[a]/a]r^ [ 0 ^ 2 /«] t—^[((Ti—^0'2)/<t]t. 

This is the type of the function type-constructor case of a term-level typerec annotated with [a.r]. 

Head-normalization and other properties of types are unaffected by the addition of Typerec and 
typerec. A new cases must be added to the algorithm for computing principal types 

rt>Typerec[fr.r](A;e^;e ow ) If [A/a]r, 

to weak term equivalence 

T > Typerec[a.T 1 ](A 2 ; e ^; ef v ) Typerec[a.r 2 ](A 2 ; ; el]"') 

if T, a ::T > T\ 44 r 2 , T > A\ 44 A 2 :: T, 

L t> <4- e^\ and T t> e° w <4 e^", 

and to type synthesis 

rt> Typerec [a.r] (A; e^;e ow ) [A/a]r 

if T,a::T>r, r > A t=- T, 

Lt“, and F t> e°' v £=■ Va::K.r. 

9.7 Completeness and Decidability for Types and Terms 

The symmetrized weak term equivalence algorithm gets a new case: 

T] > Typerec[a.Ti](A 2 ;er;ef v ) <4 F 2 > Typerec[a.r 2 ](A 2 ; ; e§"') 

if Ti, a::T t> t\ 44 T 2 , a::T > r 2 , Ti > A\ :: T <*4 T 2 > A 2 :: T, 

Ti > 44 r 2 > e^, and F 1 > e° w 44 T 2 > el,"', 
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Again, the logical relations are unchanged. The new case for the proof that declarative equiva¬ 
lence implies algorithmic equivalence follows directly from the inductive hypothesis. The complete¬ 
ness and decidability results then hold unchanged, as does strengthening for term variables. 

9.8 Properties of Evaluation 

Even if Proposition 5.3.15 is restricted to head-normal paths as suggested above, one can still prove 
the Canonical Forms lemmas. Thus it is easy to see that evaluation of well-typed terms never gets 
“stuck”. 
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Chapter 10 

Conclusion 


10.1 Summary of Contributions 

In this dissertation I have presented the MILo calculus, which models the internal language used 
by the TILT compiler. The language contains two variants of singletons: singletons with ^ 77 - 
equivalence (instantiated as singleton kinds) and labeled singletons with a weak term equivalence 
(instantiated as singleton types). The former is particularly simple and elegant, but is unusually 
context-sensitive. 

I have thoroughly studied the equational and proof-theoretic properties of the MILq calculus, 
and have shown that typechecking is decidable. I have presented algorithms for implementing 
typechecking; those for constructors and kinds form the basis of the typechecker implementation 
in the TILT compiler [PetOO]. 

The equivalence algorithm for type constructors employs an apparently novel kind-directed 
framework. This is extremely well-suited for cases in which equivalence is dependent upon the 
classifier. Examples of other such languages include those with terminal types (where all terms of 
this type are equal), or calculi with records and width sub typing (where equivalence of two records 
depends only on the equivalence of the subset of fields mentioned in the classifying record type). 
This approach can even be used in the absence of sub typing, subkinding, or singletons [HP99]. 

The correctness proofs for my equivalence algorithms employ an unusual variant of Kripke 
logical relation, in which the relations are indexed by two kinds or types and by two worlds. This 
permits a very straightforward proof of correctness for the equivalence algorithms. I have found the 
logical relations approach to proving completeness to be remarkably robust under minor changes 
to the equational theory; even the addition of type analysis constructs requires few changes. 

Crary has used the results of Chapter 5 to show that a language with singleton kinds can be 
translated into a language without, in a fashion which preserves well-typedness [CraOO]. Intuitively, 
one can certainly “substitute in” all of the definitions induced by singletons. However, the correct¬ 
ness of afterwards erasing all of singleton kinds is a form of strengthening property. Crary proves 
this by working with the algorithmic form of constructor equivalence. 

10.2 Related Work 

10.2.1 Singletons and Definitions in Type Systems 

The main previous study of singleton types in the literature is due to Aspinall [Asp95, Asp97]. He 
studied a calculus A<{} containing singleton types, dependent function types, and ^-equivalence. 
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Labeled singletons are primitive notions in this system; in the absence of 77 -equivalence the encoding 
of §2.3 does not work. He conjectured that term equivalence in A<{j was decidable, but gave no 
algorithm. 

Crary has also used singleton types and singleton kinds. His thesis [Cra.98] includes a system 
whose kind system extends the one presented here with subtyping and power kinds. He also 
conjectured that both type equivalence and typechecking were decidable. 

Crary has also used an extremely simple form of singleton type (with no elimination rule or 
subtyping) in order to prove paramctricity results [Cra99]. As one example, he shows that any 
function / of type Va.a —>a must act as a the identity because 

/(S(v : t ))( v ) : S(v : r) 

so by soundness of the type system any value returned by this application must be equal to v. 
Furthermore, evaluation in his system obviously does not depend upon type arguments to functions, 
so / must act as an identity 1 for every argument of any type. (This argument does not apply to 
MILo because here singleton types are not type constructors.) 

There are other ways to support equational information in a type system besides singleton 
types. Severi and Poll [SP94] study confluence and normalization of /^-reduction for a pure type 
system with definitions (let bindings), where 6 is the replacement of an occurrence of a variable 
with its definition. In this system, the typing context contains both the type for each variable, and 
an optional definition. This calculus contains no notion of partial definition, no subtyping, and 
cannot express constraints on function arguments. This approach may be sufficient to represent 
information needed for cross-module inlining (particularly when based upon the lambda-splitting 
work of Blume and Appel [BA97, Blu97]), but this cannot model sharing constraints or definitions 
in a modular framework (where only some parts of a module have known definition). 

Type theoretic studies of the SML module system have been studied by Harper and Lillibridge 
under the name of translucent sums [HL94, Lil97] in which modules are first-class values, and 
by Leroy under the name of manifest types [Ler94] in which modules are second-class. These 
two systems are essentially similar: the calculus includes module constructs, and corresponding 
signatures; as in Standard ML the type components of signatures may optionally specify definitions. 
The key difference from MILo is that type definitions are specified at the type level, rather than 
at the kind level. Because of this, type equivalence does depend on the typing context but not 
on the (unique) classifying kind. Typechecking for translucent sums is undecidable (although type 
equivalence is decidable). No analogous result is known for manifest types; modules may lack 
most-specific signatures, prohibiting standard methods for typechecking. 

A very powerful construct is the I -type of Martin-Lof’s extensional type theory [ML84, Hof95]. 
A term of type J(ei,e 2 ) represents a proof that e,\ and e2 are equivalent. This can lead to unde¬ 
cidable typechecking very quickly, as one can use this to add arbitrary equations as assumptions 
in the typing context. 

The language Dylan [Sha96] contains a notion of “singleton type”, but these are checked only 
at run-time (essentially pointer-equality) to resolve dynamic overloading. 

10.2.2 Decidability of Equivalence and Typechecking 

My approach to implementing and studying constructor equivalence was inspired by work by Co- 
quand for a dependently-typed lambda calculus [Coq91]. However, because his the equivalence 
was not context-sensitive in any way, both our algorithm and proof are substantially different from 

*Up to type annotations, which as just stated do not affect evaluation behavior 
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Coquand’s. Because of issues such as the form of the validity logical relations and the particular 
symmetry and transitivity properties of the 6-place algorithm, our initial attempts to use more 
traditional Kripke logical relations (with a pair of contexts being a single world) were unsuccessful. 

Systems in which equivalence depends upon the typing context were mentioned in §10.2.1. How¬ 
ever, there appear to be relatively few decidability results for lambda calculi with typing-context- 
sensitive or classifier-sensitive equivalences, perhaps because standard techniques of rewriting to 
normal form are difficult to apply. Many calculi include subtyping but not subkinding; in such 
cases either only type equivalence is considered (which is independent of subtyping) or else term 
equivalence is not affected by subtyping and hence can be computed in a context-free manner. 

One exception is the work of Curien and Ghelli [CG94], who proved the decidability of term 
equivalence in F< with ^-reduction and a Top type. Because their Top type is both terminal 
and maximal, equivalence depends on both the typing context and the type at which terms are 
compared. They eliminate context-sensitivity by inserting explicit coercions to mark uses of sub¬ 
sumption and then give a rewriting strategy for the calculus with coercions. Their proof uses 
translations between three different typed A-calculi. 

It would be interesting to see if the approach used for MIL 0 could be applied to their source 
language, avoiding the use of translations. Although adapting my equivalence algorithm seems 
easy, the fact that they study an impredicative calculus would require an extension of the theory 
in order to prove the completeness of this algorithm. 

Compagnoni and Goguen [CG97] also use a normalization algorithm and Kripke logical rela¬ 
tions argument for proving properties (including decidability of subtyping) for the language a 
variant of with higher-order subtyping and the kernel Fun rule [CW85] for quantifier sub typing. 
However, adapting these methods to include subkinding and ^-expansion seems nontrivial. 

10.3 Open Questions and Conjectures 

I conclude with an overview of several remaining issues which could be the subject of future work 
in the study of singleton types and kinds. 

10.3.1 Removing Type Annotations from let 

The primary practical defect of the MILo term language appears to be the required type labels in 
let-bindings — in particular, the type annotation on the bound variable. Because a local binding is 
required for every sub-computation, these type annotations can substantially increase the total size 
of a program. This exacts not only a penalty in the space consumed by the program’s representation, 
but also costs time in manipulating the representation: the typechecker must verify the correctness 
of these annotations, transformations such as substitutions or optimizations must be applied to 
all of the annotations, and so on. Furthermore, if one wishes to bind x to the pair (3,4), one 
must choose whether to annotate this binding with the simple type intxint, or one of its larger but 
more-precise types: S(3 : int)xS(4 : int) orS((3,4) : intxint) or even S((3,4) : S(3 : int)xS(4 : int)). 

This is easy to change in the MILo definition; the mediating type of the bound variable is s im ply 
chosen nondeterministically. In this fashion Rule 2.76 becomes 

rhe':r' T, x : t ' \~ e : t T h t 
T h (let x=e' in e : r end) : r 
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and Rule 2.89 becomes 


r b e\ = e 2 : T f 

rhri=r 2 T, o;:t 1 / h e j = C 2 : rj 

T b (let in ey : tj end) = (let x=e 2 in e 2 : T2 end) : r\ 

Adapting the algorithm for checking the well-formedness of a let-binding is easy: just replace 
uses of the annotation with uses of the principal type of the bound expression, which is already 
being calculated. As the type annotation need no longer be validated, this requires doing strictly 
less work. 

Unfortunately, computing equivalence of two let-bindings without this type annotation is more 
difficult. It should look something like the following: 

T > (let x—e\ in ey : ry end) if T > e\ e 2 and T, x: 

(let x—e 2 in e 2 : 72 end). 

But what type x should be given while comparing ey and e2? A problem arises; is entirely possible 
for e[ and e 2 to be well-formed and for T > e\ e 2 but for e\ and e! 2 to have different principal 
types. (For example, assume ?/:S((3,4) : intxint) and compare y with (3,4).) If I attempt to avoid 
this asymmetry by maintaining two contexts and using both principal types, then the contexts 
maintained by the algorithm no longer remain provably equivalent and properties like soundness 
become more difficult to show. 

However, any two equivalent terms in weak head-norm,al form, have equivalent principal types. 
More generally, any two well-formed terms equivalent under the weak term equivalence relation 
have provably equivalent principal types. This suggests the strategy of using the principal type of 
the head-normal form of either let-bound expression: 

F > (let x~e\ in ey : ry end) if T > e[ e 2 , T > e\ ^ d \, T > d\ ^ r', 

(let x—e 2 in e2 : r2 end) T,x:r f > ey e2, and V d> ry & 7*2. 

or using both equivalent types in the symmetric form of the algorithm. 

It is not too hard to show this modified algorithm is sound. The key insight is that if d! t is the 
head-normal form for e\ (for i € {1,2}) then 


??? 


> ey ^ 62 , and T > ry <^> r 2 . 


T h (let x=e[ in e 2 - : r t end) = (let x=d! t in e 7 : r % end) : r 2 

so that while comparing the bodies the algorithm can assume it was given d,[ and d! 2 instead of e\ 
and e 2 , taking advantage of the equal principal types. 

Unfortunately, I cannot prove this algorithm complete. Everything goes through except the 
final step, proving that declarative equivalence implies logical equivalence. The difficulty is that 
the type r f computed by the algorithm need not have a counterpart in the declarative proof of 
equivalence, so that the inductive hypothesis cannot be applied to r'. 

Conjecture 10.3.1 

The algorithm, as modified as suggested here is not only sound, but complete and terminating for 
the language where the type annotations are omitted from, local variable bindings. 
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10.3.2 Unlabeled Singleton Types 

Principal types in MILo can be quite large. For example, the principal type of the pair ((2, 3), (4,5)) 
is 

S({{2,3), (4,5)} : S((2,3) : S(2 : int)xS(3 : int))xS((4,5) : S(4 : int)xS(5 : int))). 

Despite the fact that this type classifies exactly the same values as the simpler type 

S(({2,3), (4, 5)) : (intxint)x(intxint)) 

these two types are not provably equivalent. The former is a strict subtype of the latter, and is 
hence the one which must be synthesized by the typechecking algorithms. Even if type equivalence 
were strengthened to equate these two types, experience in the TILT compiler with labeled singleton 
kinds has demonstrated that it is difficult to avoid generating singletons with redundant information 
in the labels. 

Furthermore, term equivalence is weak enough that it does not depend upon the classifying 
type. In a sense, then, the classifier in a singleton type is not adding useful information. An 
obvious alternative is the “unlabeled singleton” S(v) briefly considered by Aspinall. Declaratively 
one might have such rules as 

T h v : r 
T\-v: S{v) 

and 

r b v : r 

r b s(v) < r 

Finding a plausible typechecking algorithm for such a language has proven surprisingly difficult, 
however. Principal type synthesis becomes trivial (the principal type for any value v is just S(v)) 
and useless for the purposes of type-checking. What is needed is the “most-precise type that is 
not a singleton”, which for values is the “second-most-precise type” 2 . I do not yet have a plausible 
algorithm for when both projections and pairs are values 3 . 

Leaf Petersen has studied a variant of the MILo kind system which allows unlabeled singleton 
kinds [PetOO] to decrease the size of program representations. This has been implemented in TILT. 
His approach is to treat unlabeled singletons as an abbreviation mechanism, and he shows how to 
translate away all uses of unlabeled singletons. 

It is possible that a similar approach may work for singleton types. There are additional 
difficulties, however. In particular, mixing labeled and unlabeled singletons can cause problems. 
Assume we have a program context in which x has type intxint. Then under the natural translation 
approach one would expect S(x) to be equivalent to the labeled singleton type S(x : intxint). How¬ 
ever, upon substituting the pair (2,3) the types become S((2, 3)) and S((2,3) : intxint). However, 
the labeled singleton corresponding to the former of these two types is now the more precise type 
S((2, 3) : S(2 : int)xS(3 : int)). 

Thus two equivalent types become inequivalent after substitution of a value for a variable. This 
means that substitution (and hence inlining) is no longer guaranteed to preserve well-formedness 
of programs. This is not a good property for a compiler representation to have. 

2 Leaf Petersen has suggested this be called the “vice-principal type”. 

3 There are some hints, however, that computing types of values by looking at their head-normal forms may be 
possible. 




Conjecture 10.3.2 

If labeled singleton types are replaced completely with unlabeled singleton types , then there is still a 
reasonable algorithm for deciding well-formedness of programs. 

The current TILT implementation includes only singleton kinds. I intend to implement singleton 
types for cross-module inlining, based on the algorithm sketched here. 

10.3.3 Recursive Types 

Several authors from Amadio and Cardelli on [AC93, Bra97] have studied algorithms for deciding 
type equivalence for recursive types, which are viewed as representing infinite trees. This can be 
most simply formalized with two rules: the roll-unroll rule 

r,a::T b A 

T b [ia::T.A = [fia::T.A/a]A :: T 

and a coinductive principle. Together these rules allow such equivalences as 

b (//Of::T.int—^rv) = (//o::T.int—^(int—^rv)) :: T. 

For the case of simple types where type equivalence is the congruence induced by these two 
rules, the standard simple algorithm combines structural comparison of the two types with un¬ 
rolling whenever a recursive type is reached. To prevent infinite unrolling, a trail of the previously 
compared types is maintained; by coinductive nature of equivalence, any comparison previously 
seen can simply be reported successful. 

The requirements for the TILT compiler appear to be much simpler; we need only the one rule 

T h [p,a::T.A\/a\Ai = [/mnT.^/a]^ :: T 
T b fj.a::T.Ai = fia::T.A2 :: T 

That is, two recursive types are equal if their unrollings are equal. This is equivalent to the rule 

T,a::T b A 

T b pa::T.A = fm::T.[fj,a::T.A/a\A :: T 

called “Shao’s Rule” in [CHC+98]. This is a much weaker equational theory; In contrast to the 
roll-unroll rule above, it equates recursive types only to other recursive types. 

There has been no study of algorithms for recursive types where there are other interesting 
type equations such as /3-equivalence (e.g., F u extended with recursive types). However there is a 
seemingly natural extension of the simple algorithm above, which has been implemented in TILT. 

1. TILT keeps a trail of the pairs of recursive types previously compared; 

2. Whenever weak path equivalence is about to compare two recursive types, it adds them to 
the trail, unrolls the two types, and runs the general constructor equivalence algorithm on 
the two results. 

3. If a loop is detected, comparison fails. (Recall that we are not requiring equivalence to be 
coinductive.) 

Conjecture 10.3.3 

The above algorithm is sound , complete, and terminating for MILo extended with recursive types 
and Shao’s rule. 




The difficulty in proving completeness and termination is that because of the trail I see no way 
to make this algorithm obviously transitive. This is a key step in my theoretical development, and 
so the approach I use in this dissertation does not appear to extend in any nice fashion. 
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